22 May 2018

IDENTITY AWARENESS

R80.10

Administration Guide
Classification: [Protected]
© 2018 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and
distributed under licensing restricting their use, copying, distribution, and decompilation. No part
of this product or related documentation may be reproduced in any form or by any means without
prior written authorization of Check Point. While every precaution has been taken in the
preparation of this book, Check Point assumes no responsibility for errors or omissions. This
publication and features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in
subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS
252.227-7013 and FAR 52.227-19.
TRADEMARKS:
Refer to the Copyright page http://www.checkpoint.com/copyright.html for a list of our
trademarks.
Refer to the Third Party copyright notices http://www.checkpoint.com/3rd_party_copyright.html
for a list of relevant copyrights and third-party licenses.
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date
with the latest functional improvements, stability fixes, security enhancements and
protection against new and evolving attacks.

Check Point R80.10

For more about this release, see the R80.10 home page
http://supportcontent.checkpoint.com/solutions?id=sk111841.

Latest Version of this Document

Download the latest version of this document
http://supportcontent.checkpoint.com/documentation_download?ID=54825.
To learn more, visit the Check Point Support Center
http://supportcenter.checkpoint.com.

Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
mailto:[email protected]?subject=Feedback on Identity
Awareness R80.10 Administration Guide.

Searching in Multiple PDFs

To search for text in all the R80.10 PDF documents, download and extract the
complete R80.10 documentation package
http://downloads.checkpoint.com/dc/download.htm?ID=54846.
Use Shift-Control-F in Adobe Reader or Foxit reader.

Revision History
Date Description
22 May 2018 Updated: Selecting Identity Sources (on page 96) - added priorities of the
different Identity Sources

02 May 2018 Updated: Using AD Query with NTLMv2 (on page 45)

21 December 2017 Updated: CLI commands ("Identity Awareness Commands" on page 152)

27 November 2017 Updated: Terms

15 May 2017 First release of this document

 Important Information

SmartConsole Toolbars
For a guided tour of SmartConsole, click What's New in the left bottom corner of SmartConsole.

Global Toolbar (top left of SmartConsole)

Description and Keyboard Shortcut
The main SmartConsole Menu

The Objects menu.

Also leads to the Object Explorer Ctrl+E

Install policy on managed gateways

Ctrl+Shift+Enter

Navigation Toolbar (left side of SmartConsole)

Description and Keyboard Shortcut
Gateways & Servers configuration view
Ctrl+1

Security Policies Access Control view

Security Policies Threat Prevention view
Ctrl+2

Logs & Monitor view

Ctrl+3

Manage & Settings view - review and configure the Security Management
Server settings
Ctrl+4

Command Line Interface Button (left bottom corner of SmartConsole)

Description and Keyboard Shortcut
Open a command line interface for management scripting and API
F9

What's New Button (left bottom corner of SmartConsole)

Description and Keyboard Shortcut
Open a tour of the SmartConsole

Identity Awareness Administration Guide R80.10 | 4

 Important Information

Objects and Validations Tabs (right side of SmartConsole)

Description
Objects Manage security and network objects

Validations Validation warnings and errors

System Information Area (bottom of SmartConsole)

Description
Task List Management activities, such as policy installation tasks

Server Details The IP address of the Security Management Server

Connected The administrators that are connected to the Security Management Server
Users

Identity Awareness Administration Guide R80.10 | 5

Contents
Important Information................................................................................................... 3
SmartConsole Toolbars ............................................................................................ 4
Terms .......................................................................................................................... 11
Introduction to Identity Awareness ............................................................................. 14
Access Role Objects ................................................................................................ 16
Identity Sources ...................................................................................................... 17
AD Query .......................................................................................................................17
Browser-Based Authentication .....................................................................................19
Identity Agents...............................................................................................................21
Terminal Servers...........................................................................................................25
RADIUS Accounting .......................................................................................................26
Remote Access ..............................................................................................................27
Identity Collector ...........................................................................................................28
Identity Web API ............................................................................................................29
Comparison of Acquisition Sources ........................................................................ 30
Deployment ............................................................................................................. 33
Identity Awareness Default Ports ........................................................................... 33
Configuring Identity Awareness .................................................................................. 35
Enabling Identity Awareness on the Security Gateway ........................................... 35
Creating Access Roles ............................................................................................ 38
Using Identity Awareness in the Firewall Rule Base .............................................. 39
Working with Access Role Objects in the Rule Base ......................................................39
Negate and Drop............................................................................................................40
Identifying Users Behind an HTTP Proxy Server ..................................................... 42
Configuring Identity Sources ....................................................................................... 44
Configuring AD Query.............................................................................................. 44
Enabling AD Query .........................................................................................................44
Single User Assumption ................................................................................................44
Excluding Users, Computers and Networks ..................................................................45
Managing the Suspected Service Account List ...............................................................45
Using AD Query with NTLMv2 ........................................................................................45
Automatic LDAP Group Update ......................................................................................46
Specifying Domain Controllers per Security Gateway ....................................................48
Troubleshooting ............................................................................................................49
Configuring Browser-Based Authentication in SmartConsole................................ 52
Portal Network Location................................................................................................52
Access Settings .............................................................................................................52
Authentication Settings .................................................................................................53
Customize Appearance ..................................................................................................54
User Access ...................................................................................................................54
Endpoint Identity Agent Deployment from the Portal ....................................................55
Configuring Endpoint Identity Agents ..................................................................... 56
Endpoint Identity Agent Deployment Methods ...............................................................56
Configuring Endpoint Identity Agents in SmartConsole .................................................57
Troubleshooting Authentication Issues .........................................................................58
Configuring Terminal Servers................................................................................. 59
Deploying the Terminal Servers Identity Awareness Solution .......................................59
 Terminal Servers Endpoint Identity Agent Users Tab ....................................................61
Terminal Servers Advanced Settings.............................................................................61
Configuring RADIUS Accounting ............................................................................. 63
Enabling RADIUS Accounting on a Security Gateway .....................................................63
RADIUS Client Access Permissions ...............................................................................63
Authorized RADIUS Clients ............................................................................................64
RADIUS Message Attribute Indices ................................................................................64
Session Timeout and LDAP Servers...............................................................................65
RADIUS Secondary IP and Dual Stack Support ..............................................................65
RADIUS Attribute Parsing ..............................................................................................66
Receiving Groups from RADIUS Messages ....................................................................66
Configuring Remote Access .................................................................................... 68
Configuring Identity Collector ................................................................................. 69
Deploying the Identity Collector Solution.......................................................................69
Installing the Identity Collector .....................................................................................69
Configuring the Identity Collector in the Identity Awareness Gateway object ................70
Configuring the Identity Collector to Work with Active Directory ...................................72
Configuring Identity Awareness API........................................................................ 79
Client Access Permissions ............................................................................................79
Authorized Clients and Selected Client Secret ..............................................................80
Authentication Settings .................................................................................................80
Identity Web API Commands ................................................................................... 81
Versioning .....................................................................................................................81
Add Identity (v1.0) ..........................................................................................................82
Delete Identity (v1.0) ......................................................................................................86
Query Identity (v1.0) .......................................................................................................89
Bulk Commands (v1.0) ...................................................................................................92
Troubleshooting ............................................................................................................95
Selecting Identity Sources........................................................................................... 96
Identity Awareness Use Cases .................................................................................... 98
Acquiring Identities for Active Directory Users ....................................................... 98
Scenario: Laptop Access................................................................................................98
Acquiring Identities with Browser-Based Authentication ..................................... 100
Scenario: Recognized User from Unmanaged Device ..................................................100
Acquiring Identities with Endpoint Identity Agents ............................................... 103
Scenario: Endpoint Identity Agent Deployment and User Group Access ...................... 103
User Identification in the Logs .....................................................................................104
Acquiring Identities in a Terminal Server Environment ........................................ 105
Scenario: Identifying Users Accessing the Internet through Terminal Servers ........... 105
Acquiring Identities in Application Control ........................................................... 106
Scenario: Identifying Users in Application Control Logs ..............................................106
Configuring Identity Logging for a Log Server .......................................................... 107
Enabling Identity Awareness on the Log Server for Identity Logging ................... 107
Install Database for a Log Server.......................................................................... 109
WMI Performance ................................................................................................. 109
Identity Awareness Deployment ............................................................................... 110
Identity Sharing ..................................................................................................... 110
Configuring Identity Awareness for a Domain Forest (Subdomains) .................... 110
Non-English Language Support ............................................................................ 111
Nested Groups ...................................................................................................... 112
Configuring Nested Groups Query Options ..................................................................112
Advanced Identity Awareness Deployment ............................................................... 113
Introduction to Advanced Identity Awareness Deployment................................... 113
Deployment Options .............................................................................................. 114
Deploying a Test Environment .............................................................................. 114
Testing Endpoint Identity Agents .................................................................................114
Deployment Scenarios .......................................................................................... 115
Perimeter Identity Awareness Gateway.......................................................................115
Data Center Protection ................................................................................................116
Large Scale Enterprise Deployment ............................................................................117
Network Segregation...................................................................................................119
Distributed Enterprise with Branch Offices .................................................................120
Wireless Campus.........................................................................................................122
Dedicated Identity Acquisition Security Gateway .........................................................122
Advanced Browser-Based Authentication Configuration .......................................... 124
Customizing Text Strings ...................................................................................... 124
Setting Captive Portal to String ID Help Mode .............................................................124
Changing Portal Text in SmartConsole ........................................................................124
Adding a New Language ........................................................................................ 126
Editing the Language Array .........................................................................................126
Creating New Language Files ......................................................................................126
Saving New Language Files .........................................................................................127
Showing the Language Selection List ..........................................................................127
Making Sure the Strings Show Correctly .....................................................................128
Server Certificates ................................................................................................ 129
Obtaining and Installing a Trusted Server Certificate ..................................................129
Viewing the Certificate.................................................................................................131
Transparent Kerberos Authentication Configuration............................................ 132
Configuration Overview ...............................................................................................133
Creating a New User Account ......................................................................................133
Mapping the User Account to a Kerberos Principal Name ........................................... 133
Configuring an Account Unit ........................................................................................134
Enabling Transparent Kerberos Authentication ..........................................................135
Browser Configuration ................................................................................................136
Advanced Endpoint Identity Agents Configuration .................................................... 137
Customizing Parameters ...................................................................................... 137
Advanced Endpoint Identity Agent Options............................................................ 138
Kerberos SSO Compliance...........................................................................................138
Server Discovery and Server Trust ..............................................................................141
Creating Custom Endpoint Identity Agents ..................................................................148
Identity Awareness Commands ................................................................................. 152
Introduction........................................................................................................... 152
adlog ..................................................................................................................... 153
adlog query..................................................................................................................153
adlog debug .................................................................................................................154
adlog dc .......................................................................................................................154
adlog statistics ............................................................................................................154
adlog control ...............................................................................................................155
pdp ........................................................................................................................ 157
pdp status ....................................................................................................................158
pdp monitor .................................................................................................................158
pdp connections...........................................................................................................159
pdp network ................................................................................................................159
 pdp update ...................................................................................................................160
pdp nested_groups ......................................................................................................160
pdp ad ..........................................................................................................................160
pdp auth ......................................................................................................................162
pdp radius ...................................................................................................................163
pdp timers ...................................................................................................................163
pdp idc .........................................................................................................................164
pdp tasks_manager .....................................................................................................164
pdp control ..................................................................................................................164
pdp debug ....................................................................................................................165
pep ........................................................................................................................ 167
pep show .....................................................................................................................167
pep show .....................................................................................................................169
pep debug ....................................................................................................................169
pep tracker ..................................................................................................................171
test_ad_connectivity ............................................................................................. 172
References ................................................................................................................ 174
Appendix: Regular Expressions ................................................................................ 175
Regular Expression Syntax ................................................................................... 175
Using Non-Printable Characters........................................................................... 176
Using Character Types .......................................................................................... 176
 of communication between various software
components.
Terms Captive Portal

Access Role A Check Point Identity Awareness web portal,

to which users connect with their web
Access Role objects let you configure browser to log in and authenticate, when
network access according to: using Browser-Based Authentication.
• Networks
Distributed Configuration tool
• Users and user groups
Check Point Endpoint Identity Agent control
• Computers and computer groups tool for Windows-based client computers
• Remote Access Clients - will be that are members of an Active Directory
supported with R80.x gateways domain.

After you activate the Identity Awareness The Distributed Configuration tool lets you
Software Blade, you can create Access Role configure connectivity and trust rules for
objects and use them in the Source and Endpoint Identity Agents - to which Identity
Destination columns of Access Control Policy Awareness Security Gateways the Endpoint
rules. Identity Agent should connect, depending on
its IPv4 / IPv6 address, or Active Directory
AD Site.
Active Directory - Microsoft® directory This tool is installed a part of the Endpoint
information service. Stores data about user, Identity Agent: go to the Windows Start menu
computer, and service identities for > All Programs > Check Point > Identity
authentication and access. Agent.
Note - You must have administrative access
AD Query
to this Active Directory domain.
Check Point clientless identity acquisition
For more information, see AD Based
tool. It is based on Active Directory
Configuration (on page 143).
integration and it is completely transparent
to the user.
Identity Agent
The technology is based on querying the
Check Point dedicated client agent installed
Active Directory Security Event Logs and
on Windows-based user endpoint computers.
extracting the user and computer mapping to
This Endpoint Identity Agent acquires and
the network address from them. It is based
reports identities to the Check Point Identity
on Windows Management Instrumentation
Awareness Security Gateway.
(WMI), a standard Microsoft protocol.
The administrator configures the Identity
The Check Point Security Gateway Agents (not the end users).
communicates directly with the Active There are three types of Endpoint Identity
Directory domain controllers and does not Agents - Full, Light and Custom.
require a separate server. You can download the Full, Light and Custom
Endpoint Identity Agent package from the
No installation is necessary on the clients, or
Captive Portal:
on the Active Directory server.
https://<Gateway_IP_Address>/conn
ect
API
You can transfer the Full and Light Endpoint
In computer programming, an application Identity Agent package from the Identity
programming interface (API) is a set of Awareness Gateway:
subroutine definitions, protocols, and tools $NACPORTAL_HOME/htdocs/nac/naccli
for building application software. In general ents/customAgent.msi
terms, it is a set of clearly defined methods
Identity Collector PEP
Check Point dedicated client agent installed Check Point Identity Awareness Security
on Windows Servers in your network. Identity Gateway that acts as Policy Enforcement
Collector collects information about Point:
identities and their associated IP addresses,
• Receives identities via identity sharing
and sends it to the Check Point Security
Gateways for identity enforcement. For more • Redirects users to Captive Portal
information, see sk108235 RADIUS
http://supportcontent.checkpoint.com/soluti
ons?id=sk108235. Remote Authentication Dial-In User Service
You can download the Identity Collector (RADIUS) is a networking protocol that
package from the Identity Awareness provides centralized Authentication,
Gateway: Authorization, and Accounting (AAA or Triple
https://<Gateway_IP_Address>/_IA_ A) management for users who connect and
IDC/download/CPIdentityCollector. use a network service. RADIUS is a
msi client/server protocol that runs in the
application layer, and can use either TCP or
Kerberos UDP as transport.
A computer network authentication protocol
that works based on tickets to allow nodes Rule
communicating over a non-secure network A set of traffic parameters and other
to prove their identity to one another in a conditions that cause specified actions to be
secure manner. taken for a communication session.
Kerberos builds on symmetric key
Rule Base
cryptography and requires a trusted third
party, and optionally may use public-key The database that contains the rules in a
cryptography during certain phases of security policy and defines the sequence, in
authentication. which they are enforced.

LDAP Security Gateway

The Lightweight Directory Access Protocol A computer or an appliance that runs Check
(LDAP) is an open, vendor-neutral, industry Point software to inspect traffic and enforce
standard application protocol for accessing Security Policies for connected network
and maintaining distributed directory resources.
information services over an Internet
Protocol (IP) network. A common use of Security Management Server
LDAP is to provide a central place to store The server that manages, creates, stores,
usernames and passwords. This allows many and distributes the security policy to Security
different applications and services to connect Gateways.
to the LDAP server to validate users.
Service Account
PDP
In Microsoft® Active Directory, a user
Check Point Identity Awareness Security account created explicitly to provide a
Gateway that acts as Policy Decision Point: security context for services running on
• Acquires identities from identity sources Microsoft® Windows® Server.

• Shares identities with other gateways SmartConsole

A Check Point GUI application used to
manage security policies, monitor products
and events, install updates, provision new
devices and appliances, and manage a
multi-domain environment and each domain.
SSO
Single sign-on is a property of access control
of multiple related, yet independent,
software systems. With this property, a user
logs in with a single ID and password to gain
access to a connected system or systems
without using different usernames or
passwords, or in some configurations
seamlessly sign on at each system. This is
typically accomplished using the Lightweight
Directory Access Protocol (LDAP) and stored
LDAP databases on (directory) servers.

Terminal Server
Microsoft® Windows-based application
server that hosts Terminal Servers, Citrix
XenApp, and Citrix XenDesktop services.

Terminal Servers Identity Agent

Dedicated client agent installed on
Microsoft® Windows-based application
server that hosts Terminal Servers, Citrix
XenApp, and Citrix XenDesktop services. This
client agent acquires and reports identities to
the Check Point Identity Awareness Security
Gateway. In the past, this client agent was
called Multi-User Host (MUH) Agent.
You can download the Terminal Servers
Endpoint Identity Agent from the Identity
Awareness Gateway:
https://<Gateway_IP_Address>/_IA_
MU_Agent/download/muhAgent.exe
CHAPTE R 1

Introduction to Identity Awareness

In This Section:
Access Role Objects .....................................................................................................16
Identity Sources ............................................................................................................17
Comparison of Acquisition Sources.............................................................................30
Deployment ...................................................................................................................33
Identity Awareness Default Ports ................................................................................33

Traditionally, firewalls use IP addresses to monitor traffic and are unaware of the user and
computer identities behind those IP addresses. Identity Awareness removes this notion of
anonymity since it maps users and computer identities. This lets you enforce access and audit
data based on identity.
Identity Awareness is an easy to deploy and scalable solution. It is applicable for both Active
Directory and non-Active Directory based networks, as well as for employees and guest users.
Identity Awareness uses the Source and Destination IP addresses of network traffic to identity
users and computers. You can use these elements as matching criteria in the Source and
Destination fields of your policy rules:
• The identity of users or user groups
• The identity of computers or computer groups
Identity Awareness lets you define policy rules for specified users, who send traffic from specified
computers or from any computer. Likewise, you can create policy rules for any user on specified
computers.

Identity Awareness Administration Guide R80.10 | 14

 Introduction to Identity Awareness

You can see the logs based on user and computer name, and not just IP addresses, in the
SmartConsole > Logs & Monitor > Logs tab. You can see events in the Logs & Monitor Access
Control views.

Identity Awareness gets identities from the configured identity sources. You must enable these
identity sources in the Identity Awareness Gateway object > Identity Awareness page, and install
the Access Policy:

Identity Source Description

Browser-Based Authentication Identities are acquired through authentication web portal on
Identity Awareness Gateway.

Active Directory Query Identities are acquired seamlessly from Microsoft Active
Directory.

Identity Agents Identities are acquired using agents that are installed on the
Endpoint computers.

Terminal Servers Identities are acquired using agents that are installed on
Windows-based application server that hosts Terminal
Servers, Citrix XenApp, and Citrix XenDesktop services.
These agents are used to identify individual user traffic
coming from Terminal Servers.

RADIUS Accounting Identities are acquired using RADIUS Accounting directly

from a RADIUS accounting client.

Identity Awareness Administration Guide R80.10 | 15

 Introduction to Identity Awareness

Identity Source Description

Identity Collector Identities are acquired using agents that are installed on
Microsoft Active Directory Domain Controllers, or Cisco
Identity Services Engine (ISE) Servers.

Identity Web API Gives you a flexible method for creating identities.

Remote Access Identities are acquired for Mobile Access clients and IPsec
VPN clients configured to work in Office Mode, when they
connect to the Security Gateway.

Identity Awareness Security Gateways can share the identity information that they acquire with
other Identity Awareness Security Gateways. This way, users that need to pass through many
Security Gateways are only identified once. See Advanced Deployment ("Advanced Identity
Awareness Deployment" on page 113) for more information.

Access Role Objects

In SmartConsole, you can create Access Role objects to define users, computers and network
locations as one object.
You can use Access Role objects as a source or a destination parameter in a rule.
Access Role objects can include one or more of these objects:
• Networks
• Users and user groups
• Computers and computer groups
• Remote Access Clients
For example, a rule that allows file sharing over FTP between the IT department and the Sales
department Access Roles.

Name Source Destination VPN Services & Action

Applications
IT and Sales File Sharing IT_dept Sales_dept *Any ftp accept

Identity Awareness Administration Guide R80.10 | 16

 Introduction to Identity Awareness

Identity Sources
AD Query
AD Query is an easy to deploy, clientless identity acquisition tool. It is based on Active Directory
integration, and it is completely transparent to the user.
AD Query works when:
• An identified user or computer tries to access a resource that creates an authentication
request. For example, when a user logs in, unlocks a screen, shares a network drive, reads
emails through Exchange, or uses an Intranet portal.
• AD Query is selected as a way to acquire identities.
The technology is based on querying the Active Directory Security Event Logs and extracting the
user and computer mapping to the network address from them. It is based on Windows
Management Instrumentation (WMI), a standard Microsoft protocol. The Identity Awareness
Gateway communicates directly with the Active Directory domain controllers and does not require
a separate server.
No installation is necessary on the clients, or on the Active Directory server.
AD Query extracts user and computer identity information from the Active Directory Security Event
Logs. The system generates a Security Event Log entry when a user or a computer accesses a
network resource. For example, this occurs when a user logs in, unlocks a screen, or accesses a
network drive. Security Event Logs are not generated when a user logs out because Active
Directory cannot detect this action.
When you work with AD Query, it is important that you understand and comply with these
limitations:
• User/IP association timeout - After a predefined period of network inactivity, a user session
closes automatically. The user must log in again with the Captive Portal.
• Many user accounts connected from the same IP address - AD Query cannot detect when a
user logs out. Therefore, more than one user can have open sessions from the same IP
address. When this occurs, the permissions for each account remain active until their User/IP
association timeout occurs. In this scenario, there is a risk that currently connected users can
access network resources, for which they do not have permissions.

How AD Query Works - Firewall Rule Base

Identity Awareness Administration Guide R80.10 | 17

 Introduction to Identity Awareness

Item Description
1 Identity Awareness Gateway

2 Active Directory Domain Controller

3 User with Active Directory credentials

4 Network resources

Flow of events:
1. The Identity Awareness Gateway (1) gets security event logs from the Active Directory Domain
Controllers (2).
2. A user logs in to a computer with Active Directory credentials (3).
3. The Active Directory Domain Controller (2) sends the security event log to the Identity
Awareness Gateway (1).
4. The Identity Awareness Gateway gets the user name (@domain), computer name and source
IP address).
5. The user opens a connection to the network resource (4).
6. The Identity Awareness Gateway confirms the user identity and allows or blocks access to the
resource based on the policy.

Identity Awareness Administration Guide R80.10 | 18

 Introduction to Identity Awareness

Browser-Based Authentication
Browser-Based Authentication gets identities and authenticates users with one of these
acquisition methods:
• Captive Portal ("How Captive Portal Works" on page 19)
• Transparent Kerberos Authentication ("How Transparent Kerberos Authentication Works" on
page 20)

How Captive Portal Works

Captive Portal is a simple method that authenticates users with a web interface. When users try to
access a protected web resource, they enter authentication information in a form that shows in
their web browser.
The Captive Portal shows when a user tries to access a web resource and all of these conditions
apply:
• Captive Portal is enabled.
• The Redirect option enabled for the applicable policy rule.
• Firewall or Application & URL Filtering rules block access by unidentified users to resources
that would be allowed, if they were identified.
The Captive Portal also shows when Transparent Kerberos Authentication is enabled, but
authentication fails.
From the Captive Portal, users can:
• Enter their user name and password (which are configured in the Identity Awareness Gateway
object > Identity Awareness page > near the Browser-Based Authentication, click Settings >
refer to the Users Access section).
• Enter guest user credentials (which are configured in the Identity Awareness Gateway object >
Identity Awareness page > near the Browser-Based Authentication, click Settings > refer to
the Users Access section).
• Click a link to download an Identity Agent (which is configured in the Identity Awareness
Gateway object > Identity Awareness page > near the Browser-Based Authentication, click
Settings > refer to the Identity Agent Deployment from the Portal section).
Browser-Based Authentication with Captive Portal:

Identity Awareness Administration Guide R80.10 | 19

 Introduction to Identity Awareness

Item Description
1 User

2 Identity Awareness Gateway

3 Captive Portal

4 Active Directory Domain Controller

5 Internal Data Center

Flow of events for Browser-Based Authentication with Captive Portal:

1. A user (1) wants to access the Internal Data Center (5).
2. Identity Awareness Gateway (2) does not recognize the user and redirects the user's web
browser to the Captive Portal (3).
3. The user enters regular office credentials. The credentials can be AD or other Check Point
supported authentication methods, such as LDAP, Check Point internal credentials, or
RADIUS.
4. The credentials go to the Identity Awareness Gateway, which finds them in the AD server (4).
5. The user can access the requested URL in the Data Center (5).

How Transparent Kerberos Authentication Works

Browser-Based Authentication with Transparent Kerberos Authentication:
Transparent Kerberos Authentication authenticates users by getting authentication data from the
web browser without any user input. If authentication is successful, the user goes directly to the
specified destination. If authentication fails, the user must enter credentials in the Captive Portal.
Flow of events for Browser-Based Authentication with Transparent Kerberos Authentication:
1. A user wants to access the Internal Data Center.
2. Identity Awareness Gateway does not recognize the user and redirects the user's web browser
to the Transparent Authentication page.
3. The Transparent Authentication page asks the web browser to authenticate itself.
4. The web browser gets a Kerberos ticket from Active Directory and presents it to the
Transparent Authentication page.
5. The Transparent Authentication page sends the ticket to the Identity Awareness Gateway,
which authenticates the user and redirects the user's web browser to the originally requested
URL.
6. If Kerberos authentication fails for some reason, Identity Awareness Gateway redirects the
user's web browser to the Captive Portal.

Identity Awareness Administration Guide R80.10 | 20

 Introduction to Identity Awareness

Identity Agents
Endpoint Identity Agents are dedicated client agents that are installed on user endpoint
computers. These Endpoint Identity Agents acquire and report identities to the Identity Awareness
Gateway. As the administrator, you, not the users, configure these Endpoint Identity Agents.
There are three types of Endpoint Identity Agents - Full, Light and Custom:

Endpoint Identity Agent Description

Full Predefined Endpoint Identity Agent that includes packet tagging and
computer authentication.
It applies to all users on the computer, on which it is installed.
Administrator permissions are required to use the Full Endpoint
Identity Agent type. For the Full Endpoint Identity Agent, you can
enforce IP spoofing protection. You can also leverage computer
authentication, if you define computers in Access Roles.

Light Predefined Endpoint Identity Agent that does not include packet
tagging and computer authentication.
You can install this Endpoint Identity Agent individually for each user
on the target computer.
Administrator permissions are not required to use the Light
Endpoint Identity Agent type.

Custom Configure custom features for all computers that use this Endpoint
Identity Agent, such as MAD services and packet tagging ("Creating
Custom Endpoint Identity Agents" on page 148).
The Custom Endpoint Identity Agent is a customized installation
package.

Note - Make sure to use the correct Endpoint Identity Agent for your environment ("Creating
Custom Endpoint Identity Agents" on page 148).
This table shows the similarities and differences of the Light and Full Endpoint Identity Agent
types.

Endpoint Identity Agent Endpoint Identity Agent

Light Full
Installation Endpoint Identity Agent Resident application Resident application +
Elements format service + driver

Installation permissions None administrator

Upgrade permissions None None

Security User identification SSO SSO

Features
Computer identification No Yes

IP change detection Yes Yes

Packet tagging No Yes

Identity Awareness Administration Guide R80.10 | 21

 Introduction to Identity Awareness

The installation file size is 7MB for both types. The installation takes less than a minute.

The Capabilities of Endpoint Identity Agents

Using Endpoint Identity Agents gives you:

Item Description
User identification Users that log in to the Active Directory domain are
transparently authenticated (with SSO) and identified when
using an Endpoint Identity Agent.
If you do not configure SSO, or you disable it, the Endpoint
Identity Agent uses username and password authentication with
a standard LDAP server.
The system opens a window for entering credentials.

Computer identification You get computer identification when you use the Full Endpoint
Identity Agent, as it requires installing a service.

Seamless connectivity Transparent authentication using Kerberos Single Sign-On

(SSO), when users are logged in to the domain.
Users, who do not want to use SSO, enter their credentials
manually. You can let users save these credentials.

IP change detection When an endpoint IP address changes (interface roaming, or

DHCP assigns a new IP address), the Endpoint Identity Agent
automatically detects the change and reconnects.

Added security You can use the patented packet tagging technology to prevent
IP Spoofing.
Packet tagging is available for the Full Endpoint Identity Agent,
because it requires installation of a driver.
Endpoint Identity Agent also gives you strong (Kerberos-based)
user and computer authentication.

Packet tagging A technology that prevents IP spoofing is available only for the
Full Endpoint Identity Agent, as it requires installing a driver.

Packet Tagging for Anti-Spoofing

IP Spoofing happens when an unauthorized user assigns an IP address of an authenticated user to
an endpoint computer. By doing so, the user bypasses identity access enforcement rules. It is also
possible to poison ARP tables that let users do ARP "man-in-the-middle attacks" that keep a
continuous spoofed connectivity status.
To protect packets from IP spoofing attempts, you can enable Packet Tagging. Packet Tagging is a
patent pending technology that prevents spoofed connections from passing through the Identity
Awareness Gateway. This is done by a joint effort between the Endpoint Identity Agent and the
Identity Awareness Gateway that uses a unique technology that sign packets with a shared key.

Identity Awareness Administration Guide R80.10 | 22

 Introduction to Identity Awareness

To see Packet Tagging logs in SmartConsole:

1. From the Navigation Toolbar, click Logs & Monitor.
2. At the top, click the Logs tab.
3. In the Query field, enter:
blade:"Identity Awareness"
You can also click Queries > Predefined > Access > Identity Awareness Blade > All.
The Successful status indicates that a successful key exchange happened.
Note - Packet Tagging can only be set on computers installed with the Full Endpoint Identity
Agent.

To enable IP Spoofing protection:

1. Make sure users have the Full Endpoint Identity Agent installed.
2. Create an Access Role ("Creating Access Roles" on page 38).
3. In the Machines tab, select Enforce IP spoofing protection (requires full Endpoint Identity
Agent).
4. Click OK.

Downloading Endpoint Identity Agent

Users download the Endpoint Identity Agent from the Captive Portal and then authenticate to the
Identity Awareness Gateway.

Item Description
1 User that is trying to connect to the internal network

2 Identity Awareness Gateway

3 Active Directory domain controller

4 Internal network

Identity Awareness Administration Guide R80.10 | 23

 Introduction to Identity Awareness

This is a high-level overview of the Identity Awareness authentication process:

1. A user logs in to a computer with credentials, and tries to access the Internal Data Center.
2. The Identity Awareness Gateway does not recognize the user and redirects it to the Captive
Portal.
3. The user sees the Captive Portal page, with a link to download the Endpoint Identity Agent.
4. The user downloads the Endpoint Identity Agent from the Captive Portal and installs it.
5. The Endpoint Identity Agent client connects to the Identity Awareness Gateway.
Note - If SSO with Kerberos is configured, the user is automatically connected.
6. The user is authenticated.
7. The Identity Awareness Gateway sends the connection to its destination according to the
Firewall Rule Base.

Identity Awareness Administration Guide R80.10 | 24

 Introduction to Identity Awareness

Terminal Servers
Terminal Servers Endpoint Identity Agent - An Endpoint Identity Agent installed on a
Windows-based application server that hosts Terminal Servers, Citrix XenApp, and Citrix
XenDesktop services. The Identity Awareness Terminal Servers solution lets the system enforce
Identity Awareness policies on multiple users that connect from one IP address. This functionality
is necessary when an administrator must control traffic created by users of application servers
that host Microsoft Terminal Servers, Citrix XenApp, and Citrix XenDesktop.
The Identity Awareness Terminal Servers solution is based on reserving a set of TCP/UDP ports
for each user. Each user that is actively connected to the application server that hosts the
Terminal/Citrix services is dynamically assigned a set of port ranges. The Identity Awareness
Gateway receives that information. Then, when a user attempts to access a resource, the packet is
examined and the port information is mapped to the user.
This Terminal Servers Endpoint Identity Agent type cannot be used for endpoint computers.
For more information, see sk66761 http://supportcontent.checkpoint.com/solutions?id=sk66761.

Identity Awareness Administration Guide R80.10 | 25

 Introduction to Identity Awareness

RADIUS Accounting
You can configure an Identity Awareness Gateway to use RADIUS Accounting to get user and
computer identities directly from a RADIUS accounting client. Identity Awareness Gateway uses
this information to apply access permissions to the connection.
RADIUS Accounting gets identity data from RADIUS Accounting Requests generated by the
RADIUS accounting client. Identity Awareness Gateway uses the data from these requests to get
user and device group information from the LDAP server. Firewall rules apply these permissions
to users, computers and networks.

Item Description
1 RADIUS authentication server with RADIUS Accounting client enabled.
Sends RADIUS accounting request to the Identity Awareness Gateway.

2 Identity Awareness Gateway configured as a RADIUS Accounting server.

3 LDAP server.
Sends identity data for the user to the Identity Awareness Gateway.

4 Internal network resources.

5 Internet.

6 Remote laptops and mobile devices.

Identity Awareness Administration Guide R80.10 | 26

 Introduction to Identity Awareness

Remote Access
Identities are acquired for Mobile Access clients and IPsec VPN clients configured to work in
Office Mode, when they connect to the Security Gateway. This option is enabled by default in the
Identity Awareness Gateway object.

Identity Awareness Administration Guide R80.10 | 27

 Introduction to Identity Awareness

Identity Collector
Check Point Identity Collector is a Windows-based application, which collects information from
Identity Sources about identities and their associated IP addresses. The Identity Collector then
sends this information to the Identity Awareness Gateway for identity enforcement.
The Identity Collector supports these Identity Sources:
• Microsoft Active Directory Domain Controllers
• Cisco Identity Services Engine (ISE) Servers, versions 2.0, 2.1 and 2.2
The Identity Collector can connect with more than one Identity Source at a time. The Identity
Sources are organized in Query Pools.
A Query Pool is an object, which contains a number of Identity Sources. Each Query pool is
assigned to one gateway. The Identity Collector collects information from the Identity Sources in
the Query Pools and sends the information to the gateways.
For example: An environment has two domains: Asia.com and Euro.com.
The administrator wants the Asia Gateway to get the events from all the 4 domain controllers in
the Asia.com domain. He also wants the Euro Gateway 1 and Euro Gateway 2 to get the events
from all the 6 domain controllers in the Euro.com domain.
The administrator, therefore, creates 2 Query Pools: one, which contains all the domain
controllers in the Asia.com domain, and another one, which contains all the domain controllers in
the Euro.com domain.
The administrator will configure the Asia Gateway to get events from the Asia Query Pool, and the
two Euro Security Gateways to get events from the Euro Query Pool.

Identity Awareness Administration Guide R80.10 | 28

 Introduction to Identity Awareness

Identity Web API

The Identity Awareness Identity Web API is a flexible identity source that you can use for simple
integration with 3rd party security and identity products, such as ForeScout CounterACT and
Aruba Networks ClearPass. The Identity Web API identity source provides a flexible method for the
creation of identities based on environment needs. With the Identity Web API, you can create and
revoke identities, and query the Identity Awareness Software Blade regarding users, IP addresses,
and computers.
The Identity Web API uses the REST protocol over HTTPS. The Identity Awareness Gateway
authenticates and authorizes the users and computers with the information it gets from the Web
API.
You can create associations for users and machines. Identity Awareness Gateway can calculate
their group membership and Access Roles, or you can provide that information. The Web API is
useful for:
• Integration with 3rd security products. For example, you can apply a special restricted Access
Role to quarantine an infected machine detected by a 3rd party security product.
• Integration with other authentication systems.
• Automation of administrative tasks related to Identity Awareness.
Identity Web API gets JSON requests over HTTPS. Each JSON request contains one Identity Web
API command, or a bulk of commands. Each API command must include a shared secret that was
pre-configured in SmartConsole.
The Identity Web API supports 3 commands:

Command Description
add-identity Associates an IP address to a user or a computer for a specified amount
of time.

delete-identity Revokes sessions that match one IP address or an IP range.

show-identity Queries the identities related to an IP address, and other information the
Identity Awareness blade saves about this IP address.

Identity Awareness Administration Guide R80.10 | 29

 Introduction to Identity Awareness

Comparison of Acquisition Sources

These tables show how identity sources are different in terms of usage and deployment
considerations. Based on these considerations, you can configure Identity Awareness to use one
or more identity of these identity sources ("Selecting Identity Sources" on page 96).
Browser-Based Authentication - Captive Portal
Unidentified users log in with a user name and password in a Captive Portal. After authentication,
the user clicks a link to go to the destination address.

Recommended Usage Deployment Considerations

• Identity based enforcement for non-AD users • Used for identity enforcement (not intended for logging
(non-Windows and guest users) purposes).
• You can require deployment of Endpoint Identity
Agents

Browser-Based Authentication - Transparent Kerberos Authentication

The Transparent Kerberos Authentication Single-Sign On (SSO) solution transparently
authenticates users already logged into the AD. This means that when a user authenticates to the
domain, user gets access to all authorized network resources and does not have to enter
credentials again. If Transparent Kerberos Authentication fails, the user is redirected to the
Captive Portal for manual authentication.
Note -The Endpoint Identity Agent download link and the Automatic Logout option are ignored
when Transparent Kerberos Authentication SSO is successful. This is so, because the user does
not see the Captive Portal.

Recommended Usage Deployment Considerations

• In AD environments, when known users are already • Used for identity enforcement only (not intended for
logged in to the domain. logging purposes)
• Transparent Kerberos Authentication does not use
Endpoint Identity Agents or the Keep Alive feature.

AD Query
Gets identity data seamlessly from Active Directory (AD).

Recommended Usage Deployment Considerations

• Identity-based auditing and logging. • Easy configuration (requires AD administrator
• Leveraging identity in Internet application control. credentials). For organizations that prefer not to allow
administrator users to be used as service accounts on
• Basic identity enforcement in the internal network.
third party devices, there is an option to configure AD
Query without AD administrator privileges, see sk43874
http://supportcontent.checkpoint.com/solutions?id=sk438
74.
• Preferred for Desktop users.
• Only detects AD users and computers.

Identity Awareness Administration Guide R80.10 | 30

 Introduction to Identity Awareness

Endpoint Identity Agent

A lightweight Endpoint Identity Agent authenticates users securely with Single Sign-On (SSO).

Recommended Usage Deployment Considerations

• Identity enforcement for Data Centers. • See Choosing Identity Sources ("Selecting Identity
• Protecting highly sensitive servers. Sources" on page 96).
• When accuracy in detecting identity is crucial.

Terminal Servers Endpoint Identity Agent

Identifies multiple users who connect from one IP address. A terminal Server Endpoint Identity
Agent is installed on the application server, which hosts the terminal/Citrix services.

Recommended Usage Deployment Considerations

• Identify users, who use Terminal Servers, or a • See Choosing Identity Sources ("Selecting Identity
Citrix environment. Sources" on page 96).

RADIUS Accounting
You can configure a Identity Awareness Gateway to use RADIUS Accounting to get user and
computer identities directly from a RADIUS accounting client. Identity Awareness Gateway uses
this information to apply access permissions to the connection.
RADIUS Accounting gets identity data from RADIUS Accounting Requests generated by the
RADIUS accounting client. Identity Awareness Gateway uses the data from these requests to get
user and device group information from the LDAP server. Firewall rules apply these permissions
to users, computers and networks.

Recommended Usage Deployment Considerations

• In environments, where authentication is handled by • You must configure the RADIUS accounting client to send
a RADIUS server. RADIUS accounting requests to the Identity Awareness
Gateway.
• You must give the RADIUS client access permissions and
create a shared secret.

Identity Collector
The Identity Collector is a Windows-based application, which collects identity information and
sends it to the Identity Awareness Gateways for identity enforcement.

Recommended Usage Deployment Considerations

• Works with Microsoft Active Directory Domain • Windows application with prerequisites ("Requirements
Controller in large scale environments. for a Windows Server" on page 73)
• Integrates with Cisco Identity Services Engine. • Locally managed.
• Requires Event Log Readers permission
credentials.

Identity Awareness Administration Guide R80.10 | 31

 Introduction to Identity Awareness

Identity Web API

The Web API is a flexible identity source that you can use for simple integration with 3rd party
security and identity products.

Recommended Usage Deployment Considerations

• Integrates with 3rd party security products, such as • You must properly configure the accessibility and the list
ForeScout CounterACT and Aruba Networks of authorized API clients.
ClearPass. • You must create a separate shared secret for each API
• Integrates Identity Awareness with authentication client.
systems that Check Point does not regularly
support.
• Does system administration tasks such as quick
checks of users' IP address.

Remote Access
Users, who get access using IPsec VPN Office Mode can authenticate seamlessly.

Recommended Usage Deployment Considerations

• Identify and apply identity-based security Policy on • See Choosing Identity Sources ("Selecting Identity
users that access the organization through VPN. Sources" on page 96).

Identity Awareness Administration Guide R80.10 | 32

 Introduction to Identity Awareness

Deployment
Identity Awareness Software Blade is commonly enabled on a perimeter Security Gateway. It is
frequently used in conjunction with Application Control Software Blade.
To protect internal data centers, Identity Awareness Software Blade can be enabled on an internal
Security Gateway located in front of internal servers, such as data centers. This can be done in
addition to the perimeter Security Gateway, but does not require a perimeter Security Gateway.
Identity Awareness can be deployed in Bridge mode or Route mode.
• In the Bridge mode, it can use an existing subnet with no change to the hosts' IP addresses.
• In the Route mode, the Security Gateway acts as a router with different subnets connected to
its network interfaces.
For redundancy, you can deploy a cluster of Identity Awareness Security Gateways in High
Availability or Load Sharing modes.
If you deploy several Identity Awareness Security Gateways in your environment and configure
them to share identity information. Common scenarios include:
• Enable Identity Awareness Software Blade on your perimeter Security Gateway and on data
center Security Gateway.
• Enable Identity Awareness Software Blade on several data center Security Gateways.
• Enable Identity Awareness Software Blade on branch office Security Gateways and central
Security Gateways.
You can have one or more Identity Awareness Gateways acquire identities and share them with the
other Identity Awareness Gateways.
You can also share identities between Identity Awareness Gateways that are managed in different
Multi-Domain Servers.

Identity Awareness Default Ports

This section shows the default ports used by Identity Awareness features:

Feature Port
LDAP 389

LDAP over SSL (LDAPS) 636

AD Query 135

Global Catalog 3268

Global Catalog over SSL 3269

Identity Awareness Gateway to AD 135, 389

AD to Identity Awareness Gateway 135

Enforcement Gateway 389

Identity Awareness Administration Guide R80.10 | 33
 Introduction to Identity Awareness

Feature Port
Identity Sharing Gateway to Enforcement Gateway 15105, 28581

Browser-Based Authentication 443

Endpoint Identity Agents to Enforcement Gateway 443

Terminal Servers Endpoint Identity Agents to Enforcement Gateway 443

RADIUS Accounting 1813

It is possible to configure these features to different ports. For more information about Identity
Awareness ports, see sk98561 http://supportcontent.checkpoint.com/solutions?id=sk98561 and
sk52421 http://supportcontent.checkpoint.com/solutions?id=sk52421.

Identity Awareness Administration Guide R80.10 | 34

CHAPTE R 2

Configuring Identity Awareness

In This Section:
Enabling Identity Awareness on the Security Gateway ............................................35
Creating Access Roles..................................................................................................38
Using Identity Awareness in the Firewall Rule Base ..................................................39
Identifying Users Behind an HTTP Proxy Server ........................................................42

Enabling Identity Awareness on the Security Gateway

When you enable Identity Awareness Software Blade on a Security Gateway, an Identity Awareness
Configuration wizard opens. You can use the wizard to configure one Security Gateway that uses
the AD Query, Browser-Based Authentication, and Terminal Servers for acquiring identities. You
cannot use the wizard to configure an environment with multiple Security Gateways, or to
configure Endpoint Identity Agent and Remote Access acquisition (other methods for acquiring
identities).
When you complete the wizard and install an Access Policy, the system is ready to monitor Identity
Awareness. You can see the logs for user and computer identity in the SmartConsole Logs &
Monitor > Logs tab. You can see these events using the Columns Profile Access Control.

To enable Identity Awareness Software Blade on a Security Gateway:

1. Log in to SmartConsole.
2. From the left navigation Toolbar, click Gateways & Servers.
3. Double-click the Security Gateway or Security Cluster object.
4. On the Network Security tab, select Identity Awareness.
The Identity Awareness Configuration wizard opens.
5. On the Methods For Acquiring Identity page, select the applicable Identity Sources:
• AD Query (on page 17)
• Browser-Based Authentication (on page 19)
• Terminal Servers (on page 25)
Notes:
• After completing this wizard, you can select additional Identity Sources ("Comparison of
Acquisition Sources" on page 30).
• When you enable Browser-Based Authentication on Security Gateway that runs on an IP
Series appliance with IPSO OS, make sure to set the Voyager management application port
to a number other than 443 or 80.
6. Click Next.

Identity Awareness Administration Guide R80.10 | 35

 Configuring Identity Awareness

7. On the Integration With Active Directory page, you can select or configure an Active Directory
Domain.
a) From the Select an Active Directory list, select the Active Directory to configure from the
list that shows configured LDAP Account Units or create a new domain. If you have not set
up Active Directory, you need to enter a domain name, username, password and domain
controller credentials.
When the SmartConsole client computer is part of the AD domain, SmartConsole suggests
this domain automatically. If you select this domain, the system creates an LDAP Account
Unit with all of the domain controllers in the organization's Active Directory.
b) Enter the Active Directory credentials and click Connect to verify the credentials.
Important - For AD Query you must enter domain administrator credentials. For
Browser-Based Authentication standard credentials are sufficient.
c) If you selected Browser-Based Authentication or Terminal Servers, or do not wish to
configure Active Directory, select I do not wish to configure Active Directory at this time
and click Next.
Best Practice - We highly recommend that you go to the LDAP Account Unit and make sure
that only necessary domain controllers are in the list. If AD Query is not required to operate
with some of the domain controllers, delete them from the LDAP Servers list.
With the Identity Awareness configuration wizard, you can use existing LDAP Account units or
create a new one for one AD domain.
If the SmartConsole computer is part of the domain, the Wizard fetches all the domain
controllers of the domain and all of the domain controllers are configured.
If you create a new domain, and the SmartConsole computer is not part of the domain, the
LDAP Account Unit that the system creates contains only the domain controller you set
manually. If it is necessary for AD Query to fetch data from other domain controllers, you must
add them later manually to the LDAP Servers list after you complete the wizard.
To view/edit the LDAP Account Unit object, open Object Explorer (Ctrl + E), and select Servers
> LDAP Account units in the Categories tree.
The LDAP Account Unit name syntax is: <domain name>__AD
For example, CORP.ACME.COM__AD.
8. Click Next.
If you selected Browser-Based Authentication on the Methods For Acquiring Identity page,
the Browser-Based Authentication Settings page opens.
9. In the Browser-Based Authentication Settings page, select a URL for the portal, where
unidentified users will be directed.
The list shows all IP addresses configured for the Security Gateway. The IP address selected
by default is the Security Gateway main IP address. The same IP address can be used for other
portals with different paths. For example:
• Identity Awareness Browser-Based Authentication - 192.0.2.2/connect
• DLP Portal - 192.0.2.2/DLP
• Mobile Access Portal - 192.0.2.2/sslvpn
By default, access to the portal is only through internal interfaces. To change this, click Edit.
On a perimeter Security Gateway, we recommend that the Captive Portal can be accessed
through only through internal interfaces.

Identity Awareness Administration Guide R80.10 | 36

 Configuring Identity Awareness

10. Click Next.

The Identity Awareness is Now Active page opens with a summary of the acquisition methods.
If you selected Terminal Servers, the page includes a link to download the agent ("Configuring
Terminal Servers" on page 59).
11. Click Finish.
12. Optional: In the Security Gateway or Security Cluster object, go to the Identity Awareness
page and configure the applicable settings.
13. Click OK.
14. Install the Access Policy.

Identity Awareness Administration Guide R80.10 | 37

 Configuring Identity Awareness

Creating Access Roles

After you enable Identity Awareness ("Enabling Identity Awareness on the Security Gateway " on
page 35), you create Access Role objects.
You can use Access Role objects as source and/or destination parameter in a rule. Access Role
objects can include one or more of these objects:
• Networks
• Users and user groups
• Computers and computer groups
• Remote Access clients

To create an Access Role object:

1. In SmartConsole, open the Object Explorer (Ctrl+E).
2. Click New > Users > Access Role.
The New Access Role window opens.
3. Enter a Name and Comment (optional).
4. On the Networks page, select one of these:
• Any network
• Specific networks - Click the plus [+] sign and select a network > click the plus [+] sign
next to the network name, or search for a known network
5. On the Users page, select one of these:
• Any user
• All identified users - Includes users identified by a supported authentication method.
• Specific users/groups - Click the plus [+] sign and select a user > click the plus [+] sign
next to the username, or search for a known user or user group.
6. On the Machines page, select one of these:
• Any machine
• All identified machines - Includes computers identified by a supported authentication
method
• Specific machines/groups - Click the plus [+] sign and select a device > click the plus [+]
sign next to the device name, or search for a known device or group of devices
For computers that use Full Endpoint Identity Agents, you can select (optional) Enforce IP
Spoofing protection.
7. On the Remote Access Clients page, select one of these:
• Any Client
• Specific Client - Select the existing allowed client, or create a new allowed client.
Note - For Identity Awareness Gateways R77.xx or lower, you must select Any Client.
8. Click OK.

Identity Awareness Administration Guide R80.10 | 38

 Configuring Identity Awareness

Using Identity Awareness in the Firewall Rule Base

The Security Gateway examines packets and applies rules in a sequential manner. When a
Security Gateway receives a packet from a connection, it examines the packet against the first rule
in the Rule Base. If there is no match, it then goes on to the second rule and continues until it
matches a rule. If there is no match to any of the explicit or implied rules, Security Gateway drops
the packet.

Working with Access Role Objects in the Rule Base

In rules with Access Roles, if the source identity is unknown, and traffic is HTTP, configure the
Action field to redirect traffic to the Captive Portal. This rule will redirect the user to the Captive
Portal.
In rules with Access Roles, if the source identity is known, the Action in the rule (Allow, Drop, or
Reject) is enforced immediately, and the user is not redirected to the Captive Portal. After the
system gets the credentials from the Captive Portal, it can examine the rule for the next
connection.

In rules with Access Role objects, criteria matching works like this:
• When identity data for an IP address is known:
• If it matches an Access Role, the rule is enforced and traffic is allowed or blacked based on
the action.
• If it does not match an Access Role, it goes on to examine the next rule.
• When identity data for an IP address is unknown and:
• All rule fields match, besides the Source field with an Access Role.
• The connection is HTTP.
• The action is set to redirect to the Captive Portal.
If all the conditions apply, the traffic is redirected to the Captive Portal to get credentials
and see if there is a match.
If not all conditions apply, there is no match, and the next rule is examined.
Note - You can only redirect HTTP traffic to the Captive Portal.

To redirect HTTP traffic to the Captive Portal:

1. In an Access Control Policy rule that uses an Access Role in the Source column, right-click the
Action cell > click More.
The Action Settings window opens.
2. In the Action field, select Accept, Ask, or Inform.
3. At the bottom, select Enable Identity Captive Portal.
4. Click OK.

Identity Awareness Administration Guide R80.10 | 39

 Configuring Identity Awareness

5. The Action cell shows that a redirect to the Captive Portal occurs:
• Accept (display Captive Portal)
• Ask (display Captive Portal)
• Inform (display Captive Portal)
6. Install the Access Policy.

Important - When you set the option to redirect HTTP traffic from unidentified IP
addresses to the Captive Portal, make sure to put the rule in the correct position in the
Rule Base, to avoid unwanted behavior.

This is an example of a Firewall Rule Base that describes how matching operates:

No. Source Destination Service Action

1 Finance Dept Finance Web *Any Accept (display Captive Portal)
(Access Role) Server

2 Admin IP *Any *Any Accept

Address

3 *Any *Any *Any Drop

Example 1 - If an unidentified Finance user tries to access the Finance Web Server over HTTP, a
redirect to the Captive Portal occurs. After the user enters credentials, the Identity Awareness
Gateway allows access to the Finance Web Server. Access is allowed based on rule number 1,
which identifies the user through the Captive Portal as belonging to the Finance Access Role.
Example 2 - If an unidentified administrator tries to access the Finance Web Server over HTTP, a
redirect to the Captive Portal occurs despite rule number 2. After the administrator is identified,
rule number 2 matches. To let the administrator access the Finance Web Server without
redirection to the Captive Portal, switch the order of rules 1 and 2 or add a network restriction to
the Access Role.

Negate and Drop

When you negate a Source or Destination in a rule, it means that a given rule applies to all
Sources/Destinations of the connection except for the specified Source/Destination object. When
the object is an Access Role, this includes all unidentified entities as well.
When you negate an Access Role, it means that the rule is applied to all Access Roles, except for
the specified Access Role and unidentified entities. For example, let us say that the below rule is
positioned above the Any, Any, Any, Drop rule:

Source Destination VPN Services & Action

Applications
Temp_Employees [Negated] Intranet_Web_Server *Any http accept

Identity Awareness Administration Guide R80.10 | 40

 Configuring Identity Awareness

The rule means that everyone (including unidentified users) can access the Intranet Web Server,
except for temporary employees. If a temporary employee is not identified when this employee
accesses the system, this employee will have access to the Intranet Web Server. Right-click the
cell with the Access Role and select Negate Cell. The word [Negated] is added to the cell.

To prevent access to unidentified users, add another rule that ensures that only identified
employees are allowed access:

Source Destination VPN Services & Action

Applications
Temp_Employees Intranet_Web_Server *Any http drop

Any_Identified_Employee Intranet_Web_Server *Any http accept

Identity Awareness Administration Guide R80.10 | 41

 Configuring Identity Awareness

Identifying Users Behind an HTTP Proxy Server

If your organization uses an HTTP proxy server between the users and the Identity Awareness
Gateway, the Identity Awareness Gateway cannot see the identities of these users. As a result, the
Identity Awareness Gateway cannot enforce policy rules based on user identities.
To let the Identity Awareness Gateway identify users behind a proxy server, you can use the
X-Forward-For HTTP header, which the proxy server adds.
To do this, you have to:
• Configure the XFF header on the Identity Awareness Gateway
• Configure the XFF header on the Access Control Policy Layer
• Use Access Roles in the Access Control Policy Layer, or use one of these advanced options in
the Track column: Log, Detailed Log, Extended Log.

To configure the XFF header on an Identity Awareness Gateway:

1. Log in to SmartConsole.
2. From the Navigation Toolbar, click Gateways & Servers.
3. Open the Identity Awareness Gateway object.
4. In the General Properties page > Network Security tab, make sure that Identity Awareness is
enabled.
5. In the left navigation tree, click on the [+] near the Identity Awareness and go to the Proxy
page.
6. Select Detect users located behind http proxy configured with X-Forwarded-For.
• Optional: Select Hide X-Forwarded-For in outgoing traffic.
With this option selected, internal IP addresses are not seen in requests to the internet.
• Optional: Select Trust X-Forwarded-For from known proxies only and select the
applicable Group object from the drop-down list (you need to configure such Group object
in advance).
The Identity Awareness Gateway will read the XFF header only from the trusted servers.
Note - If this option is disabled, the Identity Awareness Gateway will parse the XFF header
only from internal network connections.
7. Click OK.
8. Install the Access Policy.

To configure the XFF header on the Access Control Policy Layer:

1. Log in to SmartConsole.
2. From the Navigation Toolbar, click Security Policies.
3. In the Access Control section, right-click Policy and select Edit Policy.

Identity Awareness Administration Guide R80.10 | 42

 Configuring Identity Awareness

4. In the Access Control section:

• If you already have Policy Layers configured, in the Policy Layer section, click and
select Edit Layer.
• If you do not have Policy Layers configured yet, then:
a) Click on the plus [+] sign > New Layer.
b) Configure the layer.
c) Click OK to close the Layer Editor window.
d) Click OK to close the Policy window.
e) In the Access Control section, right-click Policy and select Edit Policy.
f) In the Policy Layer section, click and select Edit Layer.
5. In the Layer Editor window, go to Advanced page.
6. In the Proxy Configuration section, select Detect users located behind http proxy configured
with X-Forwarded-For.
7. Click OK to close the Layer Editor window.
8. Click OK to close the Policy window.
9. Install the Access Policy.

To use Access Roles in the Access Control Policy Layer:

See Identity Awareness in the Firewall Rule Base ("Using Identity Awareness in the Firewall Rule
Base" on page 39).

To use one of the advanced options in the Track column:

1. Right-click in the Track column > click More.
The Track Settings window opens.
Note - For more information about each available option, click the (?) icon in the top right
corner.
2. In the Track field, select one of these applicable options:
• Log
• Detailed Log
• Extended Log
Note - Detailed Log and Extended Log are only available, if one or more of these Software
Blades are enabled on the Layer: Applications & URL Filtering, Content Awareness, or Mobile
Access.
3. In the Log Generation section, select one of these applicable options:
• per Connection
• per Session
4. Click OK.
5. Install the Access Policy.

Identity Awareness Administration Guide R80.10 | 43

CHAPTE R 3

Configuring Identity Sources

In This Section:
Configuring AD Query ...................................................................................................44
Configuring Browser-Based Authentication in SmartConsole ..................................52
Configuring Endpoint Identity Agents ........................................................................56
Configuring Terminal Servers .....................................................................................59
Configuring RADIUS Accounting ..................................................................................63
Configuring Remote Access .........................................................................................68
Configuring Identity Collector ......................................................................................69
Configuring Identity Awareness API ............................................................................79
Identity Web API Commands ........................................................................................81

Configuring AD Query
Enabling AD Query
You must enable RADIUS Accounting on Security Gateways before they can work as a RADIUS
Accounting server.

To enable AD Query for a Security Gateway:

1. In the SmartConsole Gateways & Servers view, open the Security Gateway.
2. On the General Properties page, make sure that Identity Awareness is enabled.
3. On the Identity Awareness page, select AD Query.

Single User Assumption

You can configure AD Query to allow only one active account per IP address. When user A logs out
before the timeout and user B logs in, the user A session closes automatically and his
permissions are canceled. User B is the only active user account and only his permissions are
valid. This feature is called Single User Assumption.
Before you activate Single User Assumption, you must exclude all service accounts used by user
computers.
Note - Another way to keep these issues to a minimum is to increase the DHCP lease time.

To activate single user assumption:

1. Exclude service accounts ("Excluding Users, Computers and Networks" on page 45).
2. On the Identity Awareness page, select Settings for AD Query.
3. Select Assume that only one user is connected per computer.
4. Click OK.
To deactivate Single User Assumption, clear Assume that only one user is connected per
computer.

Identity Awareness Administration Guide R80.10 | 44

 Configuring Identity Sources

Excluding Users, Computers and Networks

You can manually exclude service accounts, users, computers and networks from the AD Query
scan. You can also configure AD Query to automatically detect and exclude suspected service
accounts. Identity Awareness identifies service accounts as user accounts that are logged in to
more than a specified number of computers at the same time.

To exclude objects from Active Directory queries:

1. From the Security Gateway object Identity Awareness page, select Active Directory Query >
Settings.
2. Click Advanced.
3. In the Excluded Users / Computers section, enter the user or computer account name. You
can use the * and ? wildcard characters or regular expressions ("Appendix: Regular
Expressions" on page 175) to select more than one account. Use this syntax for regular
expressions: regexp:<regular expression>.
4. Optional: Select Automatically exclude users which are logged into more than n machines
simultaneously. Enter the threshold number of computers in the related field.
5. In the Excluded Networks section:
• Click the plus sign (+) and select a network to add the Excluded Network list.
• Select an excluded network and click the minus sign (-) to remove a network from the list.
6. Click Add.
7. Click OK.

Managing the Suspected Service Account List

When automatic exclusion is enabled, Identity Awareness looks for suspected service accounts
every 10 minutes. Suspected service accounts are saved to a persistent database that survives
reboot. When a new service account is detected, a message shows in Logs & Monitor > Logs.
Use these commands to see and manage the suspected service account database:
To show all suspected service accounts, run: adlog a control srv_accounts show
To run the service accounts scan immediately, run: adlog a control srv_accounts find
This command is useful before you enable the Assume that only one user is connected option.
To remove an account from the service account database, run: adlog a control
srv_accounts unmark <account name>
To remove all accounts from the suspected service account database, run: adlog a control
srv_accounts clear
Important - When you use the adlog a control command, you must run adlog a control
reconf to save the configuration.

Using AD Query with NTLMv2

NTLMv2 for AD Query is supported by Identity Awareness Gateway R76 and above. Earlier releases
support only NTLM.
By default, NTLMv2 support is disabled.

Identity Awareness Administration Guide R80.10 | 45

 Configuring Identity Sources

To enable NTLMv2 support for AD Query:

1. In SmartConsole, enable Identity Awareness without using the Identity Awareness
Configuration wizard:
a) Open the Security Gateway or Cluster object.
b) On General Properties tab, click Network Security tab.
c) Enable Identity Awareness.
The Identity Awareness Configuration window that opens.
d) Click Cancel.
e) Make sure Identity Awareness is enabled.
f) Click OK.
g) Install the Access Policy on the Security Gateway or Cluster object.
2. On the Security Management Server:
a) Connect to the command line.
b) Log in to Expert mode.
c) Run:
adlogconfig a
d) Enter the number of this option:
Use NTLMv2
e) Enter the number of this option:
Exit and save
3. In SmartConsole, restart the Identity Awareness Configuration wizard and continue
configuring Identity Awareness.
a) Open the Security Gateway or Cluster object.
b) On General Properties tab, click Network Security tab.
c) Disable Identity Awareness. Do not click OK.
d) Enable Identity Awareness.
The Identity Awareness Configuration window opens.
e) Continue configuring Identity Awareness in this wizard.
f) Click OK.
g) Install the Access Policy on the Security Gateway or Cluster object.

Automatic LDAP Group Update

Identity Awareness automatically recognizes changes to LDAP group membership and updates
identity information, including Access Roles.
When you add, move or remove an LDAP nested group, the system recalculates LDAP group
membership for ALL users in ALL Groups. Be very careful when you deactivate user-related
notifications.
LDAP Group Update is activated by default. You can manually deactivate LDAP Group Update with
the CLI.

Identity Awareness Administration Guide R80.10 | 46

 Configuring Identity Sources

Important - Automatic LDAP group update works only with Microsoft Active Directory
when AD Query is activated.

To deactivate automatic LDAP group update:

1. From the Security Gateway command line, run:
adlogconfig a
The adlog status screen and menu opens.
2. Select Turn LDAP groups update on/off.
LDAP groups update notifications status changes to [ ] (not active). If you enter Turn LDAP
groups update on/off when automatic LDAP group update is not active, LDAP groups update
notifications status changes to [X] (active).
3. Enter Exit and save to save this setting and close the adlogconfig tool.
4. Install the Access Policy.
You can use adlogconfig to set the time between LDAP change notifications and to send
notifications only for user related changes.

To configure LDAP group notification options:

1. From the Security Gateway command line, run:
adlogconfig a
The adlog status screen and menu opens.
2. Enter the Notifications accumulation time to set the time between LDAP change notifications.
3. Enter the time between notifications in seconds (default = 10).
4. Enter Update only user-related LDAP changes to/not to send notifications only for user
related changes.
Be very careful when you deactivate only user-related notifications. This can cause excessive
gateway CPU load.
5. Enter Exit and save to save these settings and close the adlogconfig tool.
6. Install the Access Policy.
Automatic LDAP Group Update does not occur immediately because Identity Awareness looks for
users and groups in the LDAP cache first. The information in the cache does not contain the
updated LDAP Groups. By default, the cache contains 1,000 users and cached user information is
updated every 15 minutes.
You must deactivate the LDAP cache to get automatic LDAP Group Update assignments
immediately. This action can cause Identity Awareness to work slower.

To deactivate the LDAP cache:

1. In SmartConsole, go to Menu > Global properties...
2. In the left navigation tree, click User Directory.
3. Change Timeout on cached users to zero.
4. Change Cache size to zero.
5. Install the Access Policy.

Identity Awareness Administration Guide R80.10 | 47

 Configuring Identity Sources

Specifying Domain Controllers per Security Gateway

An organization Active Directory can have several sites, where each site has its own domain
controllers that are protected by a Security Gateway. When all of the domain controllers belong to
the same Active Directory, one LDAP Account Unit is created in SmartConsole.
When AD Query is enabled on Security Gateways, you may want to configure each Security
Gateway to communicate with only some of the domain controllers.
This is configured in the User Directory page of the Gateway Properties. For each domain
controller that is to be ignored, the default priority of the Account Unit must be set to a value
higher than 1000.
For example, let us say that the LDAP Account Unit ad.mycompany.com has 5 domain controllers
- dc1, dc2, dc3, dc4, and dc5.
On the Identity Awareness Gateway, we want to enable AD Query only for domain controllers dc2
and dc3. This means that priority of all other domain controllers (dc1, dc4 and dc5) must be set to
a number greater than 1000 in the Identity Awareness Gateway object properties.

To specify domain controllers for each Identity Awareness Gateway:

1. Log in to SmartConsole.
2. From the Navigation Toolbar, click Gateways & Servers.
3. Open the Identity Awareness Gateway object.
4. In the left tree, click on the [+] near the Other > click User Directory.
5. Select the option Selected Account Units list.
6. Click Add.
7. Select your Account Unit and click OK.
8. Clear the option Use default priorities.
9. Set the priority 1001 to dc1, dc4 and dc5:
a) Select the domain controller.
b) In the Priority field, enter 1001.
c) Click Set.
10. Click OK.
11. Install the Access Policy.

Checking the Status of Domain Controllers

You can make sure that the domain controllers are set properly by using the adlog CLI. You can
see the domain controllers that the Security Gateway is set to communicate with as well as the
domain controllers it ignores.
The CLI command is: adlog a dc

Identity Awareness Administration Guide R80.10 | 48

 Configuring Identity Sources

Troubleshooting
If you experience connectivity problems between your domain controllers and Identity Awareness
Gateway/Log Servers, perform the following troubleshooting steps:

In this section:
Connectivity Issues .......................................................................................................49
Use wbemtest to Verify WMI ........................................................................................49
Confirm that Security Event Logs are Recorded ........................................................50

Connectivity Issues
1. Ping the domain controller from the Identity Awareness Gateway and Log Server.
2. Ping the Identity Awareness Gateway and Log Server from your domain controller.
3. Perform standard network diagnostics as required.
4. Check the Logs tab of the Logs & Monitor view and see if there are drops between a Security
Gateway defined with AD Query (Source) and the domain controller (Destination). If there are
drops, see Configuring the Firewall (on page 50) and sk58881
http://supportcontent.checkpoint.com/solutions?id=sk58881.

Use wbemtest to Verify WMI

To use the Microsoft wbemtest utility to verify that WMI is functional and accessible.
1. Click Start > Run.
2. Enter wbemtest.exe in the Run window.
3. In the Windows Management Instrumentation Tester window, click Connect.
4. In the Connect window, in the first field, enter the Domain controller, in this format: \\<IP
address>\root\cimv2
5. In the Credentials > User field, enter the fully qualified AD user name. For example:
ad.company.com\admin
6. Enter a password for the user.
7. Click Connect.
8. If the Windows Management Instrumentation Tester window re-appears with its buttons
enabled, WMI is fully functional.
If the connection fails, or you get an error message, check for these conditions:
• Connectivity ("Connectivity Issues" on page 49) problems
• Incorrect domain administrator credentials (on page 50).
• WMI service ("Verify the WMI Service" on page 50) is not running
• A Firewall is blocking traffic ("Configuring the Firewall" on page 50) between the Identity
Awareness Gateway or Log Server and domain controller.

Identity Awareness Administration Guide R80.10 | 49

 Configuring Identity Sources

Domain administrator Credentials

To verify your domain administrator credentials:

1. Click Start > Run.
2. In the Run window, enter \\<domain controller IP address>\c$
For example: \\11.22.33.44\c$
3. In the Logon window, enter your domain administrator user name and password.
4. If the domain controller root directory appears, this indicates that your domain administrator
account has sufficient privileges. An error message may indicate that:
a) If the user does not have sufficient privileges, this indicates that he is not defined as a
domain administrator. Obtain a domain administrator credentials.
b) You entered the incorrect user name or password. Check and retry.
c) The domain controller IP address is incorrect or you are experiencing connectivity issues.

Verify the WMI Service

To verify if the WMI service is running on the domain controller:

1. Click Start > Run.
2. Enter services.msc in the Run window.
3. Find the Windows Management Instrumentation service and see that the service started.
If it did not start, right-click this service and select Start.

Configuring the Firewall

If a Firewall is located between the Identity Awareness Gateway or Log Server, and the Active
Directory controller, configure the Firewall to allow WMI traffic.

To create Firewall rules for WMI traffic:

1. In SmartConsole, from the Security Policies view, open the Access Control Policy.
2. Create a rule that allows ALL_DCE_RPC traffic:
• Source = Security Gateways that run AD Query
• Destination = Domain Controllers
• Service = ALL_DCE_RPC
• Action = Accept
3. Save the policy and install it on Security Gateways.
Note - If there are connectivity issues on DCE RPC traffic after this policy is installed, see
sk37453 http://supportcontent.checkpoint.com/solutions?id=sk37453 for a solution.

Confirm that Security Event Logs are Recorded

If you have checked connectivity ("Connectivity Issues" on page 49) but still do not see identity
information in logs, make sure that the necessary event logs are being recorded to the Security
Event Log.
AD Query reads these events from the Security Event log:
• For Windows Server 2003 domain controllers - 672, 673, 674
• For Windows Server 2008 and higher domain controllers - 4624, 4769, 4768, 4770

Identity Awareness Administration Guide R80.10 | 50

 Configuring Identity Sources

Make sure you see the applicable events in the Event Viewer on the domain controller (My
computer > Manage > Event Viewer > Security).
If the domain controller does not generate these events (by default they are generated), refer to
Microsoft Active Directory documentation for instructions on how to configure these events.

Identity Awareness Administration Guide R80.10 | 51

 Configuring Identity Sources

Configuring Browser-Based Authentication in

SmartConsole
In the Identity Sources section of the Identity Awareness page, select Browser-Based
Authentication to send unidentified users to the Captive Portal.
If you configure Transparent Kerberos Authentication ("Transparent Kerberos Authentication
Configuration" on page 132), the browser tries to identify AD users before sending them to the
Captive Portal.
If you already configured the portal in the Identity Awareness Wizard or SmartConsole, its URL
shows below Browser-Based Authentication.

To configure the Browser-Based Authentication settings:

1. Select Browser-Based Authentication and click Settings.
2. From the Portal Settings window, configure:
• Portal Network Location (on page 52)
• Access Settings (on page 52)
• Authentication Settings (on page 53)
• Customize Appearance (on page 54)
• User Access (on page 54)
• Endpoint Identity Agent Deployment from the Portal (on page 55)
Note - When you enable Browser-Based Authentication on an IPSO Security Gateway that is on an
IP Series appliance, make sure to set the Voyager management application port to a port other
than 443 or 80.

Portal Network Location

Select if the portal runs on this Security Gateway or a different Identity Awareness enabled
Security Gateway. The default is that the Captive Portal is on the Security Gateway. The Security
Gateway redirects unidentified users to the Captive Portal on the same Security Gateway. This is
the basic configuration.
A more advanced deployment is possible where the portal runs on a different Security Gateway.
See the Deployment section for more details.

Access Settings
Click Edit to open the Portal Access Settings window. In this window, you can configure:
• Main URL - The primary URL that users are redirected to for the Captive Portal. You might
have already configured this in the Identity Awareness Configuration wizard.
• Aliases - Click the Aliases button to Add URL aliases that are redirected to the main portal
URL. For example, ID.yourcompany.com can send users to the Captive Portal. To make the
alias work, it must be resolved to the main URL on your DNS server.

Identity Awareness Administration Guide R80.10 | 52

 Configuring Identity Sources

• Certificate - Click Import to import a certificate for the portal website to use. If you do not
import a certificate, the portal uses a Check Point auto-generated certificate. This can cause
browser warnings if the browser does not recognize Check Point as a trusted Certificate
Authority. See Server Certificates (on page 129) for more details.
• Accessibility - Click Edit to select from where the portal can be accessed. You might have
already configured this in the Identity Awareness Wizard. The options are based on the
topology configured for the Security Gateway.
Users are sent to the Captive Portal, if they use networks connected to these interfaces.
• Through all interfaces
• Through internal interfaces
 Including undefined internal interfaces
 Including DMZ internal interfaces
 Including VPN encrypted interfaces
• According to the Firewall policy - Select this if there is a rule that states who can access
the portal.

Authentication Settings
Click Settings to open the Authentication Settings window. In this window you can configure:
• Browser transparent Single Sign-On - Select Automatically authenticate users from
computers in the domain if Transparent Kerberos Authentication is used to identify users.
• Main URL: The URL used to begin the SSO process. If transparent authentication fails,
users are redirected to the configured Captive Portal. This URL contains the DNS name or
IP address of Identity Awareness Gateway.
Note - The Endpoint Identity Agent download link and the Automatic Logout option are ignored
when Transparent Kerberos Authentication SSO is successful. This is so because users do not
see the Captive Portal.
• Authentication Method - Select one method that known users must use to authenticate.
• Defined on user record (Legacy Authentication) - Takes the authentication method from
Gateway Object Properties > Other > Legacy Authentication.
• User name and password - This can be configured internally or on an LDAP server.
• RADIUS - A configured RADIUS server. Select the server from the list.
• User Directories - Select one or more places where the Security Gateway searches to find
users when they try to authenticate.
• Internal users - The directory of internal users.
• LDAP users - The directory of LDAP users. Either:
 Any - Users from all LDAP servers.
 Specific - Users from an LDAP server that you select.
• External user profiles - The directory of users who have external user profiles.
The default is that all user directory options are selected. You might choose only one or two
options if users are only from a specified directory or directories and you want to maximize
Security Gateway performance when users authenticate. Users with identical user names must
log in with domain\user.

Identity Awareness Administration Guide R80.10 | 53

 Configuring Identity Sources

Customize Appearance
Click Edit to open the Portal Customization window and edit the images that users see in the
Captive Portal. Configure the labeled elements of the image below.

Label Name To do in GUI

Number
1 Portal Title Enter the title of the portal. The default title is Network
Login.

2 Company Logo Select Use my company logo and Browse to select a

logo image for the portal.

2 Company Logo for Select Use my company logo for mobiles and Browse to
mobiles select a smaller logo image for users who access the
portal from mobile devices.

User Access
Configure what users can do in the Captive Portal to become identified and access the network.
• Name and password login- Users are prompted to enter an existing username and password.
This will only let known users authenticate.
• Unregistered guests login - Let guests who are not known by the Security Gateway access the
network after they enter required data.

Name and Password Login Settings

Click Settings to configure settings for known users after they enter their usernames and
passwords successfully.
• Access will be granted for xxx minutes - For how long can they access network resources
before they have to authenticate again.
• Ask for user agreement - You can require that users sign a user agreement. Click Edit to
upload an agreement. This option is not selected by default because a user agreement is not
usually necessary for known users.
• Adjust portal settings for specific user groups - You can add user groups and give them
settings that are different from other users. Settings specified for a user group here override
settings configured elsewhere in the Portal Settings. The options that you configure for each
user group are:
• If they must accept a user agreement.
• If they must download an Endpoint Identity Agent and which one.
• If they can defer the Endpoint Identity Agent installation and until when.
You can only configure settings for Endpoint Identity Agent deployment if Endpoint Identity
Agents is selected on the Identity Awareness page.

Identity Awareness Administration Guide R80.10 | 54

 Configuring Identity Sources

Unregistered Guest Login Settings

Click Settings to configure settings for guests.
• Access will be granted for xxx minutes - For how long can they access network resources
before they have to authenticate again.
• Ask for user agreement - Makes users sign a user agreement. Click Edit to choose an
agreement and the End-user Agreement Settings page opens. Select an agreement to use:
• Default agreement with this company name - Select this to use the standard agreement.
See the text in the Agreement preview. Replace Company Name with the name of your
company. This name is used in the agreement.
• Customized agreement - Paste the text of a customized agreement into the text box. You
can use HTML code.
• Login Fields - Edit the table shown until it contains the fields that users complete in that
sequence. Select Is Mandatory for each field that guests must complete before they can get
access to the network. To add a new field, enter it in the empty field and then click Add. Use
the green arrows to change the sequence of the fields. The first field will show the user name
in Logs & Monitor > Logs.

Endpoint Identity Agent Deployment from the Portal

If Endpoint Identity Agents is selected as a method to acquire identities, you can require users to
download the Endpoint Identity Agent from the Captive Portal. You can also let users install the
Endpoint Identity Agent on a specified later date and not right away.
• Require users to download - Select this to make users install the Endpoint Identity Agent.
Select which Endpoint Identity Agent they must install. If this option is selected and the defer
option is not selected, users are not able to access the network if they install the Endpoint
Identity Agent.
• Users may defer installation until - Select to give users flexibility to choose when to install the
Endpoint Identity Agent. Select the date by which they must install it. Until that date a Skip
Endpoint Identity Agent installation option shows in the Captive Portal.

Identity Awareness Administration Guide R80.10 | 55

 Configuring Identity Sources

Configuring Endpoint Identity Agents

Endpoint Identity Agent Deployment Methods
There are different Endpoint Identity Agent deployment methods:
• Using Captive Portal - You can require users to download the Endpoint Identity Agent from the
Captive Portal. You can also let users install the Endpoint Identity Agent on a specified later
date and not right away. During installation, the Endpoint Identity Agent automatically detects
if there are administrator permissions on the computer or not and installs itself accordingly.
Notes:
• When you deploy the Full Endpoint Identity Agent, the user that installs the client must
have administrator rights on the computer. If the user does not have administrator
permissions, the Light Endpoint Identity Agent is installed instead.
• When users authenticate with the transparent portal, the download link does not show.
They must install the agent from the distribution media.
• Using distribution software - You can deploy the Endpoint Identity Agent with distribution
software. You can find the MSI installation files (Light and Full) on the Identity Awareness
Gateway: $NACPORTAL_HOME/htdocs/nac/nacclients/customAgent.msi

Configuring Endpoint Identity Agent Deployment from Captive Portal

To configure Endpoint Identity Agent deployment from Captive Portal:
1. From the Identity Awareness page, select the Endpoint Identity Agents checkbox.
2. Select Browser-Based Authentication and click Settings.
3. From the Portal Settings window, select the Require users to download checkbox to make
users install the Endpoint Identity Agent. Select which Endpoint Identity Agent they must
install. If you select this option and you do not select the defer option, users will can only
access the network if they install the Endpoint Identity Agent.
4. To give users flexibility to choose when they install the Endpoint Identity Agent, select Users
may defer installation until. Select the date by which they must install it. Until that date a Skip
Endpoint Identity Agent installation option shows in the Captive Portal.
5. Click OK.

Configuring Endpoint Identity Agent Deployment for User Groups

When necessary, you can configure specific groups to download the Endpoint Identity Agent. For
example, if you have a group of mobile users that roam and it is necessary for them to stay
connected as they move between networks.

To configure Endpoint Identity Agent deployment for user groups:

1. From the Identity Awareness page, select the Endpoint Identity Agent checkbox.
2. Select Browser-Based Authentication and click Settings.
3. Select Name and password login and click Settings.

Identity Awareness Administration Guide R80.10 | 56

 Configuring Identity Sources

4. Select Adjust portal settings for specific user groups - You can add user groups and give
them settings that are different from other users. Settings specified for a user group here
override settings configured elsewhere in the Portal Settings. The options that you configure
for each user group are:
• If they must accept a user agreement.
• If they must download the Endpoint Identity Agent and which one.
• If they can defer the Endpoint Identity Agent installation and until when.
5. Click OK.

Configuring Endpoint Identity Agents in SmartConsole

In the Identity Sources section of the Identity Awareness page, select Endpoint Identity Agents to
configure Endpoint Identity Agent settings.

To configure the Endpoint Identity Agent settings:

1. Select Endpoint Identity Agents and click Settings.
2. From the Endpoint Identity Agents Settings window, configure:
• Endpoint Identity Agent Access Settings (see "Access Settings" on page 52)
• Authentication Settings (on page 53)
• Session details
• Endpoint Identity Agent Upgrades

Endpoint Identity Agent Access

Click Edit to select from where the Endpoint Identity Agent can be accessed. The options are
based on the topology configured for the Security Gateway.
Users can communicate with the servers if they use networks connected to these interfaces.
• Through all interfaces
• Through internal interfaces
• Including undefined internal interfaces
• Including DMZ internal interfaces
• Including VPN encrypted interfaces
• According to the Firewall Policy - the Endpoint Identity Agent is accessible through interfaces
associated with source networks that appear in access rules used in the Firewall Policy.

Session
Configure data for the logged in session using the Endpoint Identity Agent.
• Agents send keepalive every X minutes - The interval, at which the Endpoint Identity Agent
sends a keepalive signal to the Security Gateway. The keepalive is used as the server assumes
the user logged out if it is not sent. Lower values affect bandwidth and network performance.
• Users should re-authenticate every XXX minutes - For how long can users access network
resources before they have to authenticate again. When using SSO, this is irrelevant.
• Allow user to save password - When SSO is not enabled, you can let users save the passwords
they enter in the Endpoint Identity Agent login window.

Identity Awareness Administration Guide R80.10 | 57

 Configuring Identity Sources

Endpoint Identity Agent Upgrades

Configure data for Endpoint Identity Agent upgrades.
• Check agent upgrades for - You can select all users or select specific user groups that should
be checked for Endpoint Identity Agent upgrades.
• Upgrade only non-compatible versions - the system will only upgrade versions that are no
longer compatible.
• Keep agent settings after upgrade - settings made by users before the upgrade are saved.
• Upgrade agents silently (without user intervention) - the Endpoint Identity Agent is
automatically updated in the background without asking the user for upgrade confirmation.
Note - When you install or upgrade the Full Endpoint Identity Agent version, the user will
experience a momentary loss of connectivity.

Troubleshooting Authentication Issues

Some users cannot authenticate with the Endpoint Identity Agent
This issue can occur in Kerberos environments with a very large Domain Controller database. The
authentication failure occurs when the CCC message size is larger than the default maximum
size. You can increase the maximum CCC message size to prevent this error.
To increase the maximum CCC message size, use the procedure in sk66087
http://supportcontent.checkpoint.com/solutions?id=sk66087.

Transparent Portal Authentication fails for some users

This issue can occur for users that try to authenticate with Kerberos authentication with the
transparent portal. The user sees a 400 Bad Request page with this message:
Your browser sent a request that this server could not understand.
Size of a request header field exceeds server limit.

The authentication failure occurs because the HTTP request header is larger than the default
maximum size. You increase the maximum HTTP request header to prevent this error.
To increase the maximum HTTP request header size, use the procedure in sk92802
http://supportcontent.checkpoint.com/solutions?id=sk92802 .

Identity Awareness Administration Guide R80.10 | 58

 Configuring Identity Sources

Configuring Terminal Servers

Deploying the Terminal Servers Identity Awareness Solution
To deploy Terminal Servers Endpoint Identity Agent:
• Install a Terminal Servers Endpoint Identity Agent - You install this agent on the application
server that hosts the Terminal/Citrix services after you enable the Terminal Servers identity
source in the Identity Awareness Gateway object and install the Access Policy.
Go to the link
https://<Gateway_IP_Address>/_IA_MU_Agent/download/muhAgent.exe
Make sure you open the link from a location defined in the Terminal Servers Accessibility
setting (Identity Awareness Gateway properties > Identity Awareness > Terminal Servers >
Settings > Edit).
• Configure a Shared Secret - You must configure the same password on the Terminal Servers
Endpoint Identity Agent and the Identity Awareness Gateway. This password is used to secure
the established trust between them.

Installing the Terminal Servers Endpoint Identity Agent

The Terminal Servers Endpoint Identity Agent installs the Terminal Servers driver and features.
You can download the Terminal Servers Endpoint Identity Agent from a link in the Identity
Awareness Gateway object.

To download the Terminal Servers Endpoint Identity Agent:

1. In SmartConsole, open the Identity Awareness Gateway object.
2. Go to the Identity Awareness pane.
3. Select the Terminal Servers identity source.
4. Install the Access Policy.
5. In SmartConsole, open the Identity Awareness Gateway object.
6. Go to the Identity Awareness pane.
7. Click the download Endpoint Identity Agent link.
Make sure you open the link from a location defined in the Accessibility setting (Terminal
Servers > Settings > Edit).
8. Install the Terminal Servers Endpoint Identity Agent on the Terminal Server.
Note - A user with administrator rights must run the Terminal Servers Endpoint Identity Agent
installation.

Upgrading a Terminal Servers Endpoint Identity Agent

There is no option to upgrade the Terminal Servers Endpoint Identity Agent when you upgrade a
Security Gateway to a newer version. You must manually install the new version of the Terminal
Servers Endpoint Identity Agent on the Citrix or Terminal Server.

Identity Awareness Administration Guide R80.10 | 59

 Configuring Identity Sources

Configuring the Shared Secret

You must configure the same password as a shared secret in the Terminal Servers Endpoint
Identity Agent on the application server that hosts the Terminal/Citrix services and on the Security
Gateway enabled with Identity Awareness. The shared secret enables secure communication and
lets the Security Gateway trust the application server with the Terminal Servers functionality.
The shared secret must contain at least 1 digit, 1 lowercase character, 1 uppercase character, no
more than three consecutive digits, and must be eight characters long. In SmartConsole, you can
automatically generate a shared secret that matches these conditions.

To configure the shared secret on the Identity Awareness gateway:

1. Log in to SmartConsole.
2. From the left Navigation Toolbar, click GATEWAYS & SERVERS.
3. Double-click the Check Point Security Gateway that has Identity Awareness enabled.
4. In the left tree, go to the Identity Awareness page.
5. In the Identity Sources section, select Terminal Servers and click Settings.
6. To automatically configure the shared secret:
a) Click Generate to automatically get a shared secret that matches the string conditions.
The generated password is shown in the Pre-shared secret field.
b) Click OK.
7. To manually configure the shared secret:
a) Enter a password that matches the conditions in the Pre-shared secret field.
Note the strength of the password in the Indicator.
b) Click OK.

To configure the shared secret on the application server:

1. Open the Terminal Servers Endpoint Identity Agent.
The Check Point Endpoint Identity Agent - Terminal Servers main window opens.
2. In the Advanced section, click Terminal Servers Settings.
3. In Identity Server Shared Secret, enter the shared secret string.
4. Click Save.

Configuring Terminal Servers Accessibility

1. Log in to SmartConsole.
2. From the left Navigation Toolbar, click GATEWAYS & SERVERS.
3. Double-click the Check Point Security Gateway that has Identity Awareness enabled.
4. In the left tree, go to the Identity Awareness page.
5. Click Terminal Servers - Settings.

Identity Awareness Administration Guide R80.10 | 60

 Configuring Identity Sources

6. In the Accessibility section, click Edit to select from where the Terminal Servers Endpoint
Identity Agent can connect.
The options are based on the topology configured for the gateway:
• Through all interfaces
• Through internal interfaces
 Including undefined internal interfaces
 Including DMZ internal interfaces
 Including VPN encrypted interfaces
• According to the Firewall policy - Select this, if there is a rule that states who can
access the portal.

Terminal Servers Endpoint Identity Agent Users Tab

The Users tab in the Terminal Servers Endpoint Identity Agent main window shows a table with
information about all users that are actively connected to the application server that hosts the
Terminal/Citrix services.

Table Field Description

ID The SID of the user.

User The user and domain name. The format used: <domain>\<user>

TCP Ports The ports allocated to the user for TCP traffic.

UDP Ports The ports allocated to the user for TCP traffic.

Authentication Indicates whether this user is authenticated on the gateway.

Status

The ID and User field information is automatically updated from processes running on the
application server. The Terminal Servers Endpoint Identity Agent assigns TCP and UDP port
ranges for each connected user.

Terminal Servers Advanced Settings

In the Terminal Servers Endpoint Identity Agent main window, click Advanced > Terminal Servers
Settings.
Advanced uses can change these settings when necessary.
Best Practice - We highly recommend that you keep the default values, if you are not an advanced
user.
Changes are applied to new users that log in to the application server after the settings are saved
in the Terminal Servers Endpoint Identity Agent. Users that are currently logged in, will stay with
the older settings.

Identity Awareness Administration Guide R80.10 | 61

 Configuring Identity Sources

Advanced Setting Description

Excluded TCP Ports Ports included in this range will not be assigned to any user for TCP
traffic. This field accepts a port range or list of ranges (separated
with a semicolon).

Excluded UDP Ports Ports included in this range will not be assigned to any user for
UDP traffic. This field accepts a port range or list of ranges
(separated with a semicolon).

Maximum Ports Per User The maximum number of ports that can be assigned to a user in
each of the TCP and UDP port ranges.

Ports Reuse Timeout The number of seconds the system waits until it assigns a port to a
(seconds) new user after it has been released by another user.

Errors History Size N/A

Gateway Shared Secret The same password that is set on the gateway that enables trusted
communication between the Security Gateway and the application
server.

Identity Awareness Administration Guide R80.10 | 62

 Configuring Identity Sources

Configuring RADIUS Accounting

Configure RADIUS Accounting in the RADIUS Accounting Settings window. In the Check Point
Gateway window > Identity Awareness page, click RADIUS Accounting > Settings.

Enabling RADIUS Accounting on a Security Gateway

You must enable RADIUS Accounting on Security Gateways before they can work as a RADIUS
Accounting server.

To enable RADIUS Accounting for a Security Gateway:

1. In the SmartConsole Gateways & Servers view, open the Security Gateway.
2. On the General Properties page, make sure that Identity Awareness is enabled.
3. On the Identity Awareness page, select RADIUS Accounting.

RADIUS Client Access Permissions

Gateway interfaces must be authorized to accept connections from RADIUS Accounting clients.

To select gateway interfaces:

1. In the RADIUS Client Access Permissions section, click Edit.
2. Select Security Gateway interfaces that can accept connections from RADIUS Accounting
clients:
a) All Interfaces - All Security Gateway interfaces can accept connections from RADIUS
Accounting clients (default)
b) Internal Interfaces - Only explicitly defined internal Security Gateway interfaces can accept
connections from RADIUS Accounting clients
 Including undefined internal interfaces - Also accepts connections from internal
interfaces without a defined IP address
 Including DMZ internal interfaces - Also accepts connections from clients located in
the DMZ
c) Firewall Policy - Interface connections are allowed according to the Firewall policy.
3. Enter or select the RADIUS server port (default = 1813).
Important - The All Interfaces and Internal Interface options have priority over Firewall Policy
rules. If a Firewall rule is configured to block connections from RADIUS Accounting clients,
connections continue to be allowed when one of these options are selected.

Identity Awareness Administration Guide R80.10 | 63

 Configuring Identity Sources

Authorized RADIUS Clients

An Identity Awareness Gateway accepts RADIUS Accounting requests only from authorized
RADIUS Accounting clients. A RADIUS Accounting client is a host with a RADIUS client software
installed.

To configure an authorized RADIUS client:

1. In the Authorized RADIUS Clients section of the RADIUS Accounting window, click the + icon
and select a RADIUS Accounting Client from the list.
Click New to define a new host object for the RADIUS Accounting client. This host object is
selected automatically.
Click the - icon to remove an existing RADIUS client from the list.
2. Click Generate to create a strong, shared secret for client authentication. This shared secret
applies to all host objects in this list.
You can manually enter a shared secret. It is not necessary to generate a new shared secret
when you add or remove clients from the list.

RADIUS Message Attribute Indices

RADIUS Accounting Messages contain identity, authentication and administrative information for a
connection. This information is contained in predefined attributes of the RADIUS Accounting
Message packet.
The Message Attributes Indices section tells Identity Awareness, which attributes in RADIUS
Accounting Messages contain identity information used by Identity Awareness:
• Device name - RADIUS device-name attribute
• User name - RADIUS user-name attribute.
• IP Address - RADIUS IP address attribute.
Select a message attribute for each of these values. The default attributes are correct for many
Identity Awareness deployments.
Note - Vendor-Specific (26) is a user-defined attribute. There can be more than one
Vendor-Specific attribute in a RADIUS Accounting message, each with a different value.

A sub-index value is assigned to each Vendor-Specific attribute in a message. This lets Identity
Awareness find and use the applicable value.

To configure message attributes:

1. Select a message attribute from the list for each index field.
2. If you use the Vendor-Specific (26) attribute, select the applicable sub-index value.

Identity Awareness Administration Guide R80.10 | 64

 Configuring Identity Sources

Session Timeout and LDAP Servers

You can define the user session timeout. This parameter is the maximum time that a user session
stays open without receiving an Accounting Start or Interim-Update message from the RADIUS
Accounting client. To define the session timeout, enter or select a value in minutes (default = 720).
You can select, which LDAP Account Units the Security Gateway searches for user or device
information, when it gets a RADIUS Accounting request. LDAP Account Units are configured in
SmartConsole.

To define the authorized LDAP Account Units:

1. Click the Settings button, located below the LDAP Account Units heading.
2. In the LDAP Account Units window, select one of these options:
• Any - Searches all defined LDAP Account Units for user or device information.
• Specific - Searches only the specified LDAP Account Units for user or device information.
 Click + to add an authorized LDAP Account Unit.
 Click - to remove an authorized LDAP Account Unit.
3. If you selected the Specific option, click the green [+] icon and then select one or more LDAP
Account Units.

RADIUS Secondary IP and Dual Stack Support

The RADIUS server can send one message with two IP addresses, rather than a message for each
address.
With this feature, you can get two IP addresses from the RADIUS message and two different
sessions are created, one for each IP.

To configure secondary IP or dual stack:

1. Access the Security Gateway with an SSH connection or console.
2. Log in to expert mode.
3. Run: pdp radius ip set <attribute index>
Where <attribute index> is the RADIUS index with the secondary IP address value (this is
similar to the User IP index that you can set in SmartConsole).
Note - If the secondary IP index is 26 (Vendor-Specific), you must add the vendor-specific
attribute index of the message that contains the secondary IP: pdp radius ip set <attribute
index> -a <vendor specific attribute index>
You can also set the server to handle RADIUS messages from a specified Vendor code: pdp
radius set ip <attribute index> -a <vendor specific attribute index> -c <vendor code>
This is a sample command to configure a Cisco-AVPair:
pdp radius ip set 26 -a 1 -c 9

Identity Awareness Administration Guide R80.10 | 65

 Configuring Identity Sources

RADIUS Attribute Parsing

This feature allows parsing string or text data in RADIUS messages. The parser finds a string
between a predefined prefix and suffix.
For example, if the message is in the form of ###data@@@, you can set the parser with the prefix
# and suffix @ to find data.

To configure RADIUS Attribute parsing:

Run: pdp radius parser set <attribute index> [-p <prefix>] [-s <suffix>]
Where <attribute index> is the RADIUS index with the value, which requires parsing.
<prefix> and <suffix> are the parsing options.
If the message is <text1><prefix><text2><suffix><text3>, the parser returns <text2>.
Example:
message is: username=test;
prefix is: username=
suffix is: ; (semi-colon)
parsed text is: test

You can specify a prefix, or a suffix. If you specify only one, the parser takes out only what you
specified.
Note - If the attribute index is 26 (vendor-specific), you must add the vendor-specific attribute
index:
pdp radius parser set <attribute index> -a <vendor specific attribute index> -p <prefix>
-s <suffix>
You can also set the server to handle RADIUS messages from a specified vendor code:
pdp radius parser set <attribute index> -a <vendor specific attribute index> -c <vendor
code> -p <prefix> -s <suffix>

Receiving Groups from RADIUS Messages

With this feature, you can read the user or computer groups from the RADIUS message and
calculate Access Roles accordingly.

To configure group fetching from RADIUS messages:

• Run: pdp radius group set –u <attribute index> -d <delimiter>
• Run: pdp radius group fetch on
Where <attribute index> is the RADIUS index with the groups value, -u sets user groups and –m
sets computer groups and <delimiter> is the delimiter used to split multiple groups in one
message.
For example, if you want to fetch user groups, and the message is "group1;group2;group3",
then set the delimiter to ";" using this command:
pdp radius groups set –u <attribute index> -d ";"
Note - If the attribute index is 26 (vendor-specific), you must add the vendor-specific attribute
index:
Identity Awareness Administration Guide R80.10 | 66
 Configuring Identity Sources

pdp radius groups set –u <attribute index> -a <vendor specific attribute index> -d
<delimiter>
You can also set the server to handle RADIUS messages from a specific vendor code:
pdp radius groups set –u <attribute index> -a <vendor specific attribute index> -c <vendor
code> -d <delimiter>
When receiving groups from RADIUS messages is enabled, the Identity Awareness Gateway does
not fetch groups from other servers for RADIUS accounting users or computers.

Identity Awareness Administration Guide R80.10 | 67

 Configuring Identity Sources

Configuring Remote Access

To configure Remote Access:
In the Identity Awareness Gateway object properties > Identity Awareness page, select Remote
Access to enable it, or clear this option to disable it.
Important - If there is more than one Identity Awareness Gateway that share identities with each
other and have Office Mode configured, each Identity Awareness Gateway must be configured with
different IP ranges for Office Mode.

Identity Awareness Administration Guide R80.10 | 68

 Configuring Identity Sources

Configuring Identity Collector

Check Point Identity Collector is a dedicated client agent installed on Windows Servers in your
network. Identity Collector collects information about identities and their associated IP addresses,
and sends it to the Check Point Security Gateways for identity enforcement. For mandatory
requirements and more information, see sk108235
http://supportcontent.checkpoint.com/solutions?id=sk108235.
This section explains the steps you must follow to operate Identity Collector as an identity source,
including installation and configuration on the Windows Server.

Deploying the Identity Collector Solution

To deploy the Identity Collector:
• Install an Identity Collector - You install this agent on the Windows server after you enable the
Identity Collector identity source in the Identity Awareness Security Gateway object and install
the Access Policy.
• Configure a shared secret - You must configure the same password on the Identity Collector
as configured in the Identity Awareness Security Gateway object. This password is used to
secure the established trust between them.
Note - The Identity Collector does not directly send AD, LDAP or other types of groups to Identity
Awareness Security Gateway.

Installing the Identity Collector

To install the Identity Collector, a user with administrator rights must run the Identity Collector
installation.
For all requirements and more information, see sk108235
http://supportcontent.checkpoint.com/solutions?id=sk108235.
The Windows server, on which you install the Identity Collector, must meet these requirements:
• Windows Server 2008 or Windows Server 2008 R2, Windows Server 2012 or Windows Server
2012 R2, Windows 2016
• Installed .NET: 4.0 or higher
• Free Disk Space: 10 GB
• Memory: 8 GB
• Oracle Java: JRE 1.8 (Java SE Runtime Environment 8) or higher
• Connectivity to the AD domain controllers of the organization using DNS, LDAP and DCOM
• Connectivity to the Check Point Identity Awareness Gateway over TCP port 443

Identity Awareness Administration Guide R80.10 | 69

 Configuring Identity Sources

Configuring the Identity Collector in the Identity Awareness

Gateway object
To enable the Identity Collector solution, you must also configure it in the Identity Awareness
Gateway object in SmartConsole:
1. In SmartConsole, open the Identity Awareness Gateway object.
2. Go to the Identity Awareness pane.
3. Select Identity Collector.
4. Near the Identity Collector, click Settings.
5. In the Identity Collector Settings window, configure:
• Client Access Permissions (on page 70)
• Authorized Clients and Selected Client Secret (on page 71)
• Authentication Settings (on page 71)
6. Click OK to close the Identity Collector Settings window.
7. Click OK to close the Gateway Properties window.
8. Optional: If you want to enforce the Cisco Security Group Tags (SGTs) on the Identity
Awareness Gateway:
a) In SmartConsole, click Objects menu > Object Explorer > New > User > User Group.
b) Name the new group: CSGT-<SGT_NAME>.
c) Assign this group to an Access Role.
9. Install the Access Policy.

Client Access Permissions

You must select Identity Awareness Gateway interfaces that can accept connections from Identity
Collector clients.

To select the Identity Awareness Gateway interfaces:

1. In the Client Access Permissions section of the Identity Collector Settings window, click Edit.
2. Select Security Gateway interfaces that can accept connections from Identity Collector clients.
The options are based on the topology configured for the Security Gateway. Identity Collector
clients can access the Security Gateway, if they use networks connected to these interfaces.
The options are:
a) Through all interfaces - All Security Gateway interfaces can accept connections from
Identity Collector clients.
b) Through internal interfaces - Only Security Gateway interfaces that are explicitly defined
internal, can accept connections from Identity Collector clients.
 Including undefined internal interfaces - Also accepts connections from Web API
clients on internal interfaces without a defined IP address
 Including DMZ internal interfaces - Also accepts connections from Identity Collector
clients located in the DMZ
 Including VPN Encrypted interfaces - Also accepts connections from Identity Collector
clients located in the VPN domain

Identity Awareness Administration Guide R80.10 | 70

 Configuring Identity Sources

c) According to the Firewall policy - Select this, if there is an explicit Access Policy rule that
accept connections from Identity Collector clients.
Important - The Through all interfaces and Through internal interfaces options have priority
over Firewall Policy rules. If a Firewall rule is configured to block connections from Identity
Collector clients, connections continue to be permitted when one of these options is selected.

Authorized Clients and Selected Client Secret

An Identity Awareness Gateway accepts connections only from authorized Identity Collector client
computers.

To configure authorized Identity Collector client computers:

1. In the Authorized Clients section of the Identity Collector Settings window, click the green [+]
icon and select an Identity Collector client from the list.
Notes:
• To define a new host object:
a) Close the Identity Collector Settings window.
b) Close the Identity Awareness Gateway Properties window.
c) From the top toolbar, click the Objects menu > More object types > Network Object > New
Host.
Or from the right upper corner, click the Objects tab > New > Host.
• To remove an existing Identity Collector client from the list, select the client and click the
red [-] icon.
2. Create an authentication secret for a selected Identity Collector client:
a) Select the Identity Collector client in the list.
b) Click Generate, or enter the desired secret manually.
Notes:
• Each client has its own client secret.
• To modify a client secret, change it manually.

Authentication Settings
1. In the Authentication Settings section of the Identity Collector Settings window, click
Settings.
The LDAP Account Units window opens.
2. Configure where the Identity Awareness Gateway can search for users, when they try to
authenticate:
• Internal users - The directory of configured internal users.
• LDAP users - The directory of LDAP users:
 All Gateway's Directories -Users from all configured LDAP servers.
 Specific - Users from configured LDAP servers that you select.
• External user profiles - The directory of users, who have external user profiles.

Identity Awareness Administration Guide R80.10 | 71

 Configuring Identity Sources

By default, all User Directories options are selected. You can select only one or two options, if
users are only from a specified directory, and you want to maximize Security Gateway
performance, when users authenticate. Users with identical user names must log in with
domain\username.

Configuring the Identity Collector to Work with Active Directory

Do these steps in the Identity Collector to configure it to work with Active Directory:
1. Add a new Active Directory with its Domain Controllers.
2. Add a new Query Pool.
3. Connect to a Check Point gateway.

To add a new Active Directory with its Domain Controllers:

1. Go to Domains > New Domain.
2. Enter the Domain name and account credentials. There are 2 optional fields: Comment and DC
IP Address to test connectivity.
Note - The account must be a member of the Event Log Readers group.
3. Click OK.
4. Use one of these options to add the required Domain Controllers:
a) Add Domain Controllers automatically by DNS and LDAP queries:
(i) Go to Identity Sources > New Source > Active Directory.
(ii) Select Fetch Automatically.
(iii) Select the Domain.
(iv) Enter the DC IP Address of one of the Domain Controllers you want to add.
(v) Click Fetch. A list of the Domain Controllers show.
(vi) Enable the Domain Controllers you want to add.
(vii)Click OK.
b) Add Domain Controllers manually one at a time:
(i) Go to Identity Sources > New Source > Active Directory.
(ii) Click Add Manually.
(iii) Enter the Domain Controller Name.
(iv) Select the Domain.
(v) Enter the IP Address of the Domain Controller you want to add.
(vi) Optional: Enter a comment and enter a Site’s name.
(vii)If this server is not a domain controller but a server that the events are forwarded to,
select this checkbox.
(viii) Optional: Click Test to check the connectivity.
(ix) Click OK.

Identity Awareness Administration Guide R80.10 | 72

 Configuring Identity Sources

To add a new Query Pool:

Assign one Query Pool to each gateway.
1. Click Query Pools > New Query Pool.
2. Enter the Query Pool Name and select the Identity Sources, from which to collect identities.
3. Optional: Enter a Comment.
4. Click OK.
Note – The Identity Collector queries only the AD Domain Controllers and Cisco ISE Servers that
are in the Query Pool.

To connect the Identity Collector to a Check Point gateway:

1. Go to Gateways > New Gateway.
2. Enter the Gateway Name, IP Address and Shared Secret as configured in SmartConsole.
3. Optional: Enter a comment.
4. Select a Query Pool to assign to the gateway.
Note - Assign one Query Pool to each gateway.
5. Click Test.
6. Make sure the certificate is correct and approve it.
7. Click OK.

Requirements for a Windows Server

To use the Identity Collector on a Windows server, the server must meet these requirements:
• Windows Server 2008 or Windows Server 2008 R2, Windows Server 2012 or Windows Server
2012 R2, Windows 2016
• .NET 4.0 or higher
• Free Disk Space: 10 GB
• Memory: 8 GB
• SSL connectivity to the Check Point Identity Awareness Security Gateway
• Oracle Java JRE 1.8 (Java SE Runtime Environment 8) or higher
For more information, see sk108235
http://supportcontent.checkpoint.com/solutions?id=sk108235.

Configuring the Identity Collector on the Windows Server

To add a new Active Directory with its Domain Controllers:
1. Go to Domains > New Domain.
2. Enter the Domain name and account credentials. There are 2 optional fields: Comment and DC
IP Address to test connectivity.
Note - The account must be a member of the Event Log Readers group.
3. Click OK.

Identity Awareness Administration Guide R80.10 | 73

 Configuring Identity Sources

4. Use one of these options to add the required Domain Controllers:

a) Add Domain Controllers automatically by DNS and LDAP queries:
(i) Go to Identity Sources > New Source > Active Directory.
(ii) Select Fetch Automatically.
(iii) Select the Domain.
(iv) Enter the DC IP Address of one of the Domain Controllers you want to add.
(v) Click Fetch. A list of the Domain Controllers show.
(vi) Enable the Domain Controllers you want to add.
(vii)Click OK.
b) Add Domain Controllers manually one at a time:
(i) Go to Identity Sources > New Source > Active Directory.
(ii) Click Add Manually.
(iii) Enter the Domain Controller Name.
(iv) Select the Domain.
(v) Enter the IP Address of the Domain Controller you want to add.
(vi) Optional: Enter a comment and enter a Site’s name.
(vii)If this server is not a domain controller but a server that the events are forwarded to,
select this checkbox.
(viii) Optional: Click Test to check the connectivity.
(ix) Click OK.

To add a new Query Pool:

Assign one Query Pool to each gateway.
1. Click Query Pools > New Query Pool.
2. Enter the Query Pool Name and select the Identity Sources, from which to collect identities.
3. Optional: Enter a Comment.
4. Click OK.
Note – The Identity Collector queries only the AD Domain Controllers and Cisco ISE Servers that
are in the Query Pool.

To connect the Identity Collector to a Check Point gateway:

1. Go to Gateways > New Gateway.
2. Enter the Gateway Name, IP Address and Shared Secret as configured in SmartConsole.
3. Optional: Enter a comment.
4. Select a Query Pool to assign to the gateway.
Note - Assign one Query Pool to each gateway.
5. Click Test.
6. Make sure the certificate is correct and approve it.
7. Click OK.

Identity Awareness Administration Guide R80.10 | 74

 Configuring Identity Sources

Identity Collector Filtering

You can configure the Identity Collector to filter the login events. The Identity Collector sends to
the Identity Server (Identity Awareness Gateway) only events that match the filter criteria.

Step Description
1 Open the Identity Collector application.

2 From the top toolbar, click Filters.

3 Select, or configure a filter:

• Network Filter - Defines IP addresses and networks to include or exclude.
• Identity Filter - Defines user names and computer names to include or exclude. You
can filter by full names, names with wildcard or regular expression (select the
checkbox).
4 Click OK.

Cache:
The cache saves associations (user-to-IP address) that the Identity Collector creates for a time
period (the default is 5 minutes). If the event happens again during that time, the Identity Collector
does not send it to the Identity Server again.

Identity Collector Advanced Configuration

For advanced configuration options, go to the Advanced tab on the left pane of the Identity
Collector.
Activity Log
Logs the date and time of activities done in the Identity Collector. This log is cleared every time the
GUI restarts.
Settings > Identity Reporting
Association time-to-live – How long this association will live on the PDP Security Gateway. The
default is 12 hours.
Cache time-to-live – The cache saves associations (user to IP) that the Identity Collector creates
for a set period of time (the default is 5 minutes). If the event occurs again during that time period,
the Identity Collector does not send the event to the gateway again.
Ignore machine identities – The Identity Collector does not send computer associations, only user
associations. The default of this feature is off.
Ignore RDP events – When remote desktop login occurs, 2 login events occur in the domain
controller with the same username but different IPs: the computer logged in from and the
computer logged in to. Therefore, the IP of the computer logged in from is redundant and with this
configuration the Identity Collector ignores it.
Clear Cache Button – Clears all the entries saved in the cache. The Identity Collector will create
new cache entries when it receives new associations.

Identity Awareness Administration Guide R80.10 | 75

 Configuring Identity Sources

Settings > ISE Servers

Session Keep-alive – The Identity Collector goes over its internal ISE sessions database every
configured period of time. If it finds expired sessions, it queries the ISE Server to see if the session
is still alive. Then it updates the gateway accordingly. This value sets the interval, during which
this occurs.
Settings > Logins Monitor
Enable Logins Monitor – When selected, the Identity Collector records user logging events and
shows them in the Logins Monitor tab.
Event expiration time – The maximum time that the Logins Monitor Table stores each login
record.
Cache time-to-live – The maximum time between two different login events by the same user or
same computer that are treated as one Logins Monitor record.
Auto refresh time – The interval of time, during which the user interface of the Logins Monitor
refreshes its view when it requests an update of the users logins records.
Ignore revoked events – When selected, the Logins Monitor tab only stores and displays the latest
login event (both user and computer event) for each IP address.

Identity Collector Ports and Protocols

Direction Port Protocol
Proprietary Check Point protocol, over
Identity Collector to Identity HTTPS. Used for ongoing communication
443
Awareness Gateway between the agent and the Identity
Awareness Gateway.

Identity Collector to Microsoft DNS

Active Directory Domain 53
Controller

Identity Collector to Microsoft

Active Directory Domain 389 LDAP
Controller

Identity Collector to Microsoft

Active Directory Domain 636 LDAPS
Controller

Identity Collector to Microsoft 135,

* DCOM protocol, which makes extensive
Active Directory Domain and dynamically
use of DCE/RPC.
Controller allocated ports

Session subscribe. Gets notifications of

Identity Collector to Cisco ISE
5222 new login or logout events from the Cisco
Server
ISE Server.

Identity Collector to Cisco ISE Bulk session download. Fetches all the
8910
Server active sessions from the Cisco ISE Server.

Identity Awareness Administration Guide R80.10 | 76

 Configuring Identity Sources

* DCOM uses DCE/RPC. If the Active Directory Domain Controller uses Windows Firewall, you
must configure it to allow Identity Collector traffic: enable Remote Event Log Management >
Remote Event Log Management (RPC).

Identity Collector Alias Feature

Sometimes, a Domain Controller sends events with domain names that are not the NetBIOS or the
FQDN names. When this occurs, the Identity Awareness Gateway does not know the domain and
drops the association. The Alias feature of the Identity Collector resolves this issue.

To enable Alias feature on the Identity Collector client computer:

1. Go to this folder:
C:\ProgramData\CheckPoint\IdentityCollector\
2. Create a new configuration file:
DomainDictionaryAliases.cfg
3. The structure of the configuration file must be as follows:
<name from which to convert>=<name to which to convert>
Notes:
 There is no space between the equal sign and the name of the domain or the alias
name.
 Each line shows one conversion.
Example:
If the nickname of "something.com" is "someone", add this line in the file:
someone=something.com
This way, if an event contains the "someone" domain, the domain name will change to
"something.com".
4. Save the changes in the file.
5. Restart the Identity Collector service:
• Service Name: IDCService
• Service Display Name: Check Point Identity Collector

Identity Collector Optimization

Exclude multi-user machines
After the Identity Collector works for a while, you can check how many multi-user computers
there are, and add them to the Network Exclusion List. To do so, enter this command on the
Identity Awareness Gateway CLI:
pdp idc muh show

Exclude service accounts

After the Identity Collector works for a while, you can see how many service accounts there are,
and add them to the Identity Exclusion List. To do so, enter this command on the Identity
Awareness Gateway CLI:
pdp idc service_accounts

Identity Awareness Administration Guide R80.10 | 77

 Configuring Identity Sources

Consolidate Groups
If the Identity Awareness Gateway receives the user groups from the Cisco Identity Collector
(SGT), it does not try to fetch them from the user directory. If you enable group consolidation, the
Identity Awareness Gateway fetches the group even if it receives groups from the Identity
Collector:
pdp idc groups_consolidation show

Identity Awareness Administration Guide R80.10 | 78

 Configuring Identity Sources

Configuring Identity Awareness API

To configure the Identity Awareness Web API:
1. In the Gateways & Servers view, double-click the Security Gateway.
2. In the Identity Sources section of the Identity Awareness page, select Identity Web API and
click Settings.
3. In the Identity Web API Settings window, configure:
• Client Access Permissions (on page 79)
• Authorized Clients and Selected Client Secret (on page 80)
• Authentication Settings (on page 80)

Client Access Permissions

You must select Identity Awareness Gateway interfaces that can accept connections from Web API
clients.

To select the Identity Awareness Gateway interfaces:

1. In the Client Access Permissions section of the Identity Web API Settings window, click Edit.
2. Select Security Gateway interfaces that can accept connections from Web API clients. The
options are based on the topology configured for the Security Gateway. Web API clients can
access the Security Gateway, if they use networks connected to these interfaces. The options
are:
a) Through all interfaces - All Security Gateway interfaces can accept connections from Web
API clients.
b) Through internal interfaces - Only Security Gateway interfaces that are explicitly defined
internal, can accept connections from Web API clients.
 Including undefined internal interfaces - Also accepts connections from Web API
clients on internal interfaces without a defined IP address
 Including DMZ internal interfaces - Also accepts connections from Web API clients
located in the DMZ
 Including VPN Encrypted interfaces - Also accepts connections from Web API clients
located in the VPN domain
c) According to the Firewall policy - Select this, if there is an explicit Access Policy rule that
accept connections from Web API clients.
Important - The Through all interfaces and Through internal interfaces options have priority
over Firewall Policy rules. If a Firewall rule is configured to block connections from Identity
Collector clients, connections continue to be permitted when one of these options is selected.

Identity Awareness Administration Guide R80.10 | 79

 Configuring Identity Sources

Authorized Clients and Selected Client Secret

An Identity Awareness Gateway accepts connections only from authorized Web API client
computers.

To configure authorized Web API client computers:

1. In the Authorized Clients section of the Identity Collector Settings window, click the green [+]
icon and select a Web API client from the list.
Notes:
• To define a new host object:
a) Close the Web API Settings window.
b) Close the Identity Awareness Gateway Properties window.
c) From the top toolbar, click the Objects menu > More object types > Network Object > New
Host.
Or from the right upper corner, click the Objects tab > New > Host.
• To remove an existing Identity Collector client from the list, select the client and click the
red [-] icon.
2. Create an authentication secret for a selected Web API client:
a) Select the Web API client in the list.
b) Click Generate, or enter the desired secret manually.
Notes:
• Each client has its own client secret.
• To modify a client secret, change it manually.

Authentication Settings
1. In the Authentication Settings section of the Web API Settings window, click Settings.
The LDAP Account Units window opens.
2. Configure where the Identity Awareness Gateway can search for users, when they try to
authenticate:
• Internal users - The directory of configured internal users.
• LDAP users - The directory of LDAP users:
 All Gateway's Directories -Users from all configured LDAP servers.
 Specific - Users from configured LDAP servers that you select.
• External user profiles - The directory of users, who have external user profiles.
By default, all User Directories options are selected. You can select only one or two options, if
users are only from a specified directory, and you want to maximize Security Gateway
performance, when users authenticate. Users with identical user names must log in with
domain\username.

Identity Awareness Administration Guide R80.10 | 80

 Configuring Identity Sources

Identity Web API Commands

The Identity Web API uses the REST protocol over SSL. The requests and responses are HTTP and
in JSON format.
The web API URL has this structure:
https://<Gateway_IP_Address_or_FQDN>/_IA_API/v1.0/<command>
For example: https://gw.acme.com/_IA_API/v1.0/add-identity
The expected JSON structure is a simple, flat key-value object.

Versioning
To provide backward and forward compatibility, you can include the Web API version in the
request URL, as shown in this table:

URL API Version Minimal Gateway Version

https://<GW_IP_or_FQDN>/_IA_API/id 1.0 R80.10
asdk/<command>

https://<GW_IP_or_FQDN>/_IA_API/v1 1.0 R80.10

.0/<command>

https://<GW_IP_or_FQDN>/_IA_API/ Latest R80.10

<command>

Important - URL https://<GW_IP_or_FQDN>/_IA_API/idasdk/<command> used by R80.10

EA customers is preserved and serves API version 1.0.

Identity Awareness Administration Guide R80.10 | 81

 Configuring Identity Sources

Add Identity (v1.0)

Description
Creates a new Identity Awareness association for a specified IP address.
Syntax
POST https://<Gateway_IP_or_FQDN>/_IA_API/v1.0/add-identity

Parameter Type Description Default value

shared-secret String Shared secret N/A

ip-address String (IP) Association IP. Supports N/A

either IPv4 or IPv6, but not
both.

user String User name Empty string

machine String Computer name Empty string

domain String Domain name Empty string

session-timeout Integer Timeout (in seconds) for this 43200 (12 hours)
Identity Awareness
association

fetch-user-groups Boolean (0/1) Defines whether Identity 1

Awareness fetches the
user's groups from the user
directories defined in
SmartConsole.

fetch-machine-groups Boolean (0/1) Defines whether Identity 1

Awareness fetches the
machine's groups from the
user directories defined in
SmartConsole.

user-groups Array of strings List of groups, to which the Empty array

user belongs (when Identity
Awareness does not fetch
user groups).

machine-groups Array of strings List of groups, to which the Empty array

computer belongs (when
Identity Awareness does not
fetch computer groups).

calculate-roles Boolean (0/1) Defines whether Identity 1

Awareness calculates the
identity’s Access Roles.

Identity Awareness Administration Guide R80.10 | 82

 Configuring Identity Sources

Parameter Type Description Default value

roles Array of strings List of roles to assign to this Empty array
identity (when Identity
Awareness does not
calculate roles).

machine-os String Host operating system. For Empty string

example: Windows 7.

host-type String Type of host device. For Empty string

example: Apple iOS device.

Response
Parameter Type Description
ipv6-address String (IP) Created IPv6 identity

ipv4-address String (IP) Created IPv4 identity

message String Textual description of the command’s result

Best Practice - You must include the domain name whenever available. This ensures the user is
authorized by the correct server, improves performance and prevents incorrect authorization,
when there are identical user names in more than one domain.
Notes:
• The request must include user or computer information or both. The shared-secret and
ip-address fields are mandatory.
• String attributes such as user, domain and group names, must not contain curly brackets ("{",
"}"), square brackets ("[", "]"), or angle brackets ("<", ">"). Requests containing such
characters will fail.
• When you set fetch-user-groups or fetch-machine-groups or both to 1, you must also
set calculate-roles to 1. Otherwise, there is no assignment of Access Roles and the
request fails.
• When you set fetch-user-groups or fetch-machine-groups or both to 1, user
authorization can fail (for example, if the user cannot be found in an Account Unit). Because
the gateway sends the response before the authorization process is complete, a successful
response does not necessarily mean the gateway created the identity successfully.
• If you know the operating system and host type of the created associations, you can include
this information in the machine-os and host-type fields. This improves auditing
information, but does not affect enforcement.
• For active directory user and computer groups, which are generated with the Access Role
creation tool, include a special prefix:
Group prefix is ad_group_
User prefix is ad_user_
Machine prefix is ad_machine_

Identity Awareness Administration Guide R80.10 | 83

 Configuring Identity Sources

For example, for Active Directory user group MyGroup the user group attribute is
ad_group_MyGroup. For computer group MyMachinePC, the machine-groups attribute is
ad_machine_MyMachinePC.
Examples
Example request 1: Minimum request for user identity generation
POST https://gw.acme.com/_IA_API/v1.0/add-identity
{
"shared-secret":"****",
"ip-address":"1.2.3.5",
"user":"mary",
}

Response 1
{
"ipv4-address":"1.2.3.5",
"message":"Association sent to PDP."
}

Example request 2: User-defined groups, calculate roles

POST https://gw.acme.com/_IA_API/v1.0/add-identity
{
"shared-secret":"****",
"ip-address":"1.1.1.1",
"user":"john",
"machine":"",
"domain":"cme.com",
"user-groups": ["MyUserGroup"],
"roles":[],
"timeout":43200,
"fetch-user-groups":0,
"calculate-roles":1,
"identity-source":"ACME API Client"
}

Response 2
{
"ipv4-address":"1.1.1.1",
"message":"Association sent to PDP."
}

Example request 3: User-defined groups and roles, detailed information

{
"shared-secret":"****",
"user":"John",
"machine":"Laptop_1234",
"ip-address":"2.2.2.2",
"identity-source":"ACME API Client",
"machine-os":"Windows 10 (Build 1176)",
"host-type":"Laptop",
"fetch-user-groups":0,
"fetch-machine-groups":0,
"calculate-roles":0,
"session-timeout":43200,
"user-groups":["EnterpriseFinanceUsers","ad_user_JohnDoe"],
"machine-groups":["EnterpriseLaptopMachines"],
"roles":["FinanceUser","StandardLaptop"]
}

Identity Awareness Administration Guide R80.10 | 84

 Configuring Identity Sources

Response 3
{
"ipv4-address" : "2.2.2.2",
"message" : "Association sent to PDP."
}

Identity Awareness Administration Guide R80.10 | 85

 Configuring Identity Sources

Delete Identity (v1.0)

Description
Delete Identity Awareness associations for one IP address, a range of IP addresses, or a subnet.
Syntax
POST https://<GW_IP_or_FQDN>/_IA_API/v1.0/delete-identity

Parameter Type Description Default value

shared-secret String Shared secret. N/A

ip-address String (IP) Association IP address. Required when you Empty

revoke a single IP address.

revoke-method String Type of revoke method. It can be empty for Empty

the deletion of a single association by an IP
address.
Otherwise permitted values:
mask - for the deletion of all associations in
a subnet.
range - for the deletion of all associations in
a range.

subnet String (IP) Subnet. Required when the revoke method is Empty
mask.

subnet-mask String (IP) Subnet mask. Required when the revoke Empty
method is mask.

ip-address-first String (IP) First IP address in the range. Required when Empty
the revoke method is range.

ip-address-last String (IP) Last IP address in the range. Required when Empty
the revoke method is range.

client-type String Deletes only associations created by the Any

specified identity source. If no value is set for
the client-type parameter, or if it is set to
any, the gateway deletes all identities
associated with the given IP (or IPs) (see the
client type table for a list of the permitted
values).
Note - When the client-type is set to vpn
(remote access), the gateway deletes all the
identities associated with the given IP
address(es). This is because when you delete
an identity associated with an Office Mode IP
address, this usually means that this Office
Mode IP address is no longer valid.

Identity Awareness Administration Guide R80.10 | 86

 Configuring Identity Sources

List of identity sources for the client-type parameter:

Client type Description

any All identity sources

captive-portal Browser-Based Authentication

ida-agent Identity Agents

vpn Remote Access

ad-query Active Directory query

multihost-agent Terminal Servers (multi-user host agent)

radius RADIUS Accounting

ida-api Identity Web API

identity-collector Identity Collector

Response

Parameter Type Description

ipv6-address String (IP) Deleted IPv6 association

ipv4-address String (IP) Deleted IPv4 association

message String Textual description of the command’s result

count Unsigned integer Number of deleted identities

Examples
Example request 1: Delete by IP
POST https://gw.acme.com/_IA_API/1.0/delete-identity
{
"shared-secret":"****",
"ip-address":"1.1.1.1"
}

Response 1
{
"count":"1",
"ipv4-address":"1.1.1.1",
"message":"Disassociation sent to PDP."
}

Identity Awareness Administration Guide R80.10 | 87

 Configuring Identity Sources

Example request 2: Delete by IP range

POST https://gw.acme.com/_IA_API/v1.0/delete-identity
{
"shared-secret":"****",
"revoke-method":"range",
"ip-address-first":"1.1.1.2",
"ip-address-last":"1.1.1.3"
}

Response 2
{
"count":"2",
"message":"Total of 2 IPs disassociations will be processed."
}

Example request 3: Delete by IP subnet

POST https://gw.acme.com/_IA_API/idasdk/delete-identity
{
"shared-secret":"****",
"revoke-method":" mask",
"subnet":"1.1.1.1",
"subnet-mask":"255.255.255.0"
}

Response 3
{
"count":"100",
"message":"Total of 100 IPs disassociations will be processed."
}

Identity Awareness Administration Guide R80.10 | 88

 Configuring Identity Sources

Query Identity (v1.0)

Description
Queries the Identity Awareness associations of a given IP address.
Syntax
POST https://<Gateway_IP_or_FQDN>/_IA_API/idasdk/show-identity

Parameter Type Description Default Value

shared-secret String Shared secret N/A

ip-address String (IP) Identity IP address N/A

Response

Parameter Type Description

ipv6-address String (IP) Queried IPv6 identity

ipv4-address String (IP) Queried IPv4 identity

message String Textual description of the command’s result

users Array All user identities on this IP. The Information

includes these fields:
• Users' full names (full name if available, falls back to user
name if not)
• Array of groups
• Array of roles
• Identity source

machine String Computer name, if available

machine-groups Array List of computer groups

combined-roles Array List of all the Access Roles on this IP, for auditing
and enforcement purposes.

machine-identity-source String Machine session’s identity source, if the machine

session is available.

Note - If more than one identity source authenticated the user, the result shows a separate record
for each identity source.
Examples
Request 1
POST https://gw.acme.com/_IA_API/v1.0/show-identity
{
"shared-secret":"****",
"ip-address":"1.1.1.1"
}

Identity Awareness Administration Guide R80.10 | 89

 Configuring Identity Sources

Response 1: User identity is available

{
"combined-roles":[
"All_Identified_Users",
"User_John"
],
"domain":"cme.com",
"ipv4-address":"1.1.1.1",
"machine":"[email protected]",
"message":"total 1 user records were found.",
"users":[
{
"groups":[
"All Users",
"ad_user_John_Smith"
],
"identity-source':AD Query",
"roles":[
"All_identified_Users",
"User_John"
],
"user":"JohnSmith"
}
]
}

Response 2: User and computer identities are available

{
"combined-roles":[
"Admin-PC_cme.com",
"All_Identified_Users",
"User_John"
],
"domain":"cme.com",
"ipv4-address":"192.168.110.126",
"machine":"[email protected]",
"machine-groups":[
"ad_machine_ADMINPC",
"All Machines"
],
"machine-identity-source":"Identiy Awareness API (ACME API Client):,
"message":"total 1 user records were found.",
"users":[
{
"groups":[
"All Users",
"ad_user_John_Smith"
],
"identity-source": "Identity Awareness API (ACME API Client)",
"roles":[
"Admin-PC_ad.ida",
"All_Identified_Users",
"User_John"
],
"user":"John Smith"
}
]
}

Identity Awareness Administration Guide R80.10 | 90

 Configuring Identity Sources

Response 3: Multiple user identities are available

{
"combined-roles":[
"Admin-PC",
"All_Identified_Users",
"User_John"
],
"domain":"cme.com",
"ipv4-address":"192.168.110.126",
"machine":"[email protected]",
"machine-identity-source":"AD Query",
"ad_machine_ADMINPC",
"All Machines"
],
"message":"total 2 user records were found.",
"users":[
{
"groups":[
"All Users"
],
"identity-source": "AD Query",
"roles":[
"Admin-PC",
"All_Identified_Users"
],
"user":"George Black"
},
{
"groups":[
"All Users",
"ad_user_John_Smith"
],
"identity-source": "AD Query",
"roles":[
"Admin-PC",
"All_Identified_Users",
"User_John"
],
"user":"John Smith"
}
]
}

Response 4: No identity found

{
"ipv4-address" : "1.1.1.1",
"message" : "total 0 user records were found."
}

Identity Awareness Administration Guide R80.10 | 91

 Configuring Identity Sources

Bulk Commands (v1.0)

You can use a bulk command to send multiple commands in one request. To do this, send the bulk
command with a requests array, in which each array element contains the parameters of one
request. The response returns a responses array, in which each array element contains the
response for one command. The responses appear in the order of the requests.
Request 1: Adding multiple associations
{
"shared-secret" : "****",
"requests":[
{"user":"linda","machine":"","ip-address":"1.1.18.1"},
{"user":"james","ip-address":"1.1.18.2", "domain" : "cme.com"},
{"user":"mary","machine":"","ip-address":"1.1.18.3"}
]
}

Response 1: Added multiple associations

{
"responses":[
{
"ipv4-address":"1.1.18.1",
"message":"Association sent to PDP."
},
{
"ipv4-address":"1.1.18.2",
"message":"Association sent to PDP."
},
{
"ipv4-address":"1.1.18.3",
"message":"Association sent to PDP."
}
]
}

Request 2: Adding multiple associations, one of which is incorrect

{
"shared-secret":"****",
"requests":[
{"user":"john","machine":"","ip-address":"1.1.18.1"},
{"user":"linda","ip-address":"invalid", "domain" : "cme.com"},
{"user":"james","machine":"","ip-address":"1.1.18.3"}
]
}

Identity Awareness Administration Guide R80.10 | 92

 Configuring Identity Sources

Response 2: Corresponding return values

{
"responses": [
{
"ipv4-address": "1.1.18.1",
"message": "Association sent to PDP."
},
{
"code": "GENERIC_ERR_INVALID_PARAMETER",
"message": "No valid IP was provided"
},
{
"ipv4-address": "1.1.18.3",
"message": "Association sent to PDP."
}
]
}

Request 3: Request multiple identities

{
"shared-secret":"****",
"requests":[
{"ip-address":"1.1.18.1"},
{"ip-address":"1.1.18.2"},
{"ip-address":"1.1.18.3"}
]
}

Response 3: Returned identities

{
"responses":[
{
"combined-roles":[],
"ipv4-address":"1.1.18.1",
"message":"total 1 user records were found.",
"users":[
{
"groups":[
"All Users"
],
"identity-source": "AD Query",
"roles":[],
"user":"User 1"
}
]
},
{
"combined-roles":[],
"domain":"cme.com",
"ipv4-address": "1.1.18.2",
"message":"total 1 user records were found.",
"users":[
{
"groups":[
"All Users"
],
"identity-source": "AD Query",
"roles":[],
"user":"User 2"
}
]
},
{
Identity Awareness Administration Guide R80.10 | 93
 Configuring Identity Sources

"combined-roles": [],
"ipv4-address": "1.1.18.3",
"message": "total 1 user records were found.",
"users":[
{
"groups": [],
"identity-source": "AD Query",
"roles": [],
"user": "User 3"
}
]
}
]
}

Identity Awareness Administration Guide R80.10 | 94

 Configuring Identity Sources

Troubleshooting
Issues with the Web API are usually because of:
• Incorrect configuration. For example, when you enter an incorrect URL or do not authorize the
client to use the Web API.
• Incorrect command syntax, such as missing parameters or invalid parameter values.
For standard requests, HTTP response code of 200 means that the Identity Awareness service
received a valid API command. HTTP response code 500 means that the command is invalid, or an
internal error prevented the performance of the command by the API. If the request fails, the
JSON response body includes a code field, and the message field includes a textual description.
The message field shows also on success. The code field implies that the action failed. For bulk
requests, the HTTP status code is always 200. A granular error code is given for each of the
requests.

HTTP API response Possible

status (code field) cause
N/A N/A No response is usually the result
of a connectivity issue. Make sure
the API client can access the
gateway and that the gateway does
not drop the traffic.

404 N/A This is the result of these causes:

• Identity Awareness API is disabled.
• Identity Awareness API is enabled, but
the API client is not authorized.
• Identity Awareness API is enabled, but
the IDA API access settings do not
permit access from the API client
network.
• Incorrect or missing shared secret
• Incorrect URL

500 GENERIC_ERROR_INVALID_SYNTAX Syntax error in the JSON request

body (for example: redundant
comma after the last parameter).

500 GENERIC_ERROR_INVALID_PARAMETER_NAME The request includes a field that is

not permitted for this request.

500 GENERIC_ERR_MISSING_REQUIRED_PARAMETER Missing mandatory parameter.

S

500 GENERIC_ERR_INVALID_PARAMETER Incorrect parameter value or

parameter type (for example:
invalid IP address).

500 GENERIC_INTERNAL_ERROR Internal error on the gateway.

Contact Check Point technical
support for further assistance.

Identity Awareness Administration Guide R80.10 | 95

CHAPTE R 4

Selecting Identity Sources

Identity sources have different security and deployment considerations. Depending on your
organization requirements, you can choose to set them separately, or as combinations that
supplement each other.
This section presents some examples of how to choose identity sources for different
organizational requirements.

Requirement Recommended Identity Source

Logging and auditing with basic AD Query.
enforcement

Logging and auditing only AD Query.

Application Control AD Query and Browser-Based Authentication.

The AD Query finds all AD users and computers.
The Browser-Based Authentication identity source is
necessary to include all non-Windows users. It also serves
as a fallback option, if AD Query cannot identify a user.
If you configure Transparent Kerberos Authentication, then
the browser attempts to authenticate users transparently by
getting identity information before the Captive Portal
username/password page is shown to the user.

Data Center, or internal server The options are:

protection
• AD Query and Browser-Based Authentication - When
most users are desktop users (not remote users) and
easy deployment is important.
Note - You can add Endpoint Identity Agents if you have
mobile users and have users that are not identified by
AD Query. Users that are not identified encounter
redirects to the Captive Portal.
• Endpoint Identity Agents and Browser-Based
Authentication - When a high level of security is
necessary. The Captive Portal is used for distributing the
Endpoint Identity Agent. IP Spoofing protection can be
set to prevent packets from being IP spoofed.
Terminal Servers and Citrix Terminal Servers.
environments
Requires you to install the Terminal Servers Endpoint
Identity Agent on each Terminal Server.

Users that access the organization Remote Access.

through VPN
Lets you identify Mobile Access and IPsec VPN clients that
work in Office Mode.

Identity Awareness Administration Guide R80.10 | 96

 Selecting Identity Sources

Requirement Recommended Identity Source

Environment that use a RADIUS RADIUS Accounting.
server for authentication
Make sure that you configure the Security Gateway as a
RADIUS Accounting client and give it access permissions
and a shared secret.

These are the priorities of the different Identity Sources:

1. Remote Access
2. Endpoint Identity Agent, Terminal Servers Endpoint Identity Agent
3. Captive Portal, Identity Collector, RADIUS Accounting, Identity Awareness API
4. AD Query

Identity Awareness Administration Guide R80.10 | 97

CHAPTE R 5

Identity Awareness Use Cases

In this section:
Acquiring Identities for Active Directory Users ..........................................................98
Acquiring Identities with Browser-Based Authentication ........................................100
Acquiring Identities with Endpoint Identity Agents ...................................................103
Acquiring Identities in a Terminal Server Environment ...........................................105
Acquiring Identities in Application Control ...............................................................106

Acquiring Identities for Active Directory Users

Organizations that use Microsoft Active Directory can use AD Query to acquire identities.
When you set the AD Query option to get identities, you are configuring clientless employee access
for all Active Directory users. To enforce access options, create rules in the Firewall Rule that
contain Access Role objects. An Access Role object defines users, computers and network
locations as one object.
Active Directory users that log in and are authenticated will have seamless access to resources
based on Firewall rules.

Scenario: Laptop Access

James Wilson is an HR partner in the ACME organization. ACME IT wants to limit access to HR
servers to designated IP addresses to minimize malware infection and unauthorized access risks.
Thus, the Security Gateway policy permits access only from James' desktop, which is assigned a
static IP address 10.0.0.19.
He received a laptop and wants to access the HR Web Server from anywhere in the organization.
The IT department gave the laptop a static IP address, but that limits him to operating it only from
his desk. The current Rule Base contains a rule that lets James Wilson access the HR Web Server
from his laptop with a static IP (10.0.0.19).

Name Source Destination VPN Service Action Track

Jwilson to HR Jwilson_PC HR_Web_Server Any Any accept Log
Server Traffic

He wants to move around the organization and continue to have access to the HR Web Server.
To make this scenario work, the IT administrator does these steps:
1. Enables Identity Awareness on a Security Gateway, selects AD Query as one of the Identity
Sources and installs the policy.
2. Checks the logs in the Logs & Monitor view of SmartConsole to make sure the system
identifies James Wilson in the logs.
3. Adds an Access Role object to the Firewall Rule Base that lets James Wilson access the HR
Web Server from any computer and from any location.
4. Sees how the system tracks the actions of the Access Role in in the Logs & Monitor view of
SmartConsole.
Identity Awareness Administration Guide R80.10 | 98
 Identity Awareness Use Cases

User Identification in the Logs

The logs in the Logs & Monitor view of SmartConsole show that the system recognizes James
Wilson as the user behind IP 10.0.0.19. This log entry shows that the system maps the source IP to
the user James Wilson from CORP.ACME.COM. This uses the identity acquired from AD Query.
Note - AD Query maps the users based on AD activity. This can take some time and depends on
user activity. If James Wilson is not identified (the IT administrator does not see the log), he should
lock and unlock the computer.

Using Access Roles

To let James Wilson access the HR Web Server from any computer, change the rule in the Access
Control Policy Rule Base. Create an Access Role ("Creating Access Roles" on page 38) for James
Wilson, from any network and any computer. In the rule, change the source object to be the
Access Role object (for example, HR_Partner).

Name Source Destination VPN Services & Action Track

Applications
HR HR_Partner HR_Web_Server Any Any accept None
Partner
Access

Install the policy. You can remove the static IP address from the laptop of James Wilson and give it
a dynamic IP address. The Security Gateway James Wilson, defined in the HR_Partner Access
Role, access the HR Web server from his laptop with a dynamic IP address.

Identity Awareness Administration Guide R80.10 | 99

 Identity Awareness Use Cases

Acquiring Identities with Browser-Based Authentication

Browser-Based Authentication lets you acquire identities from unidentified users such as:
• Managed users connecting to the network from unknown devices such as Linux computers or
iPhones.
• Unmanaged, guest users such as partners or contractors.
If unidentified users try to connect to resources in the network that are restricted to identified
users, they are automatically sent to the Captive Portal. If Transparent Kerberos Authentication is
configured, the browser will attempt to identify users that are logged into the domain using SSO
before it shows the Captive Portal.

Scenario: Recognized User from Unmanaged Device

The CEO of ACME recently bought her own personal iPad. She wants to access the internal
Finance Web server from her iPad. Because the iPad is not a member of the Active Directory
domain, she cannot identify seamlessly with AD Query. However, she can enter her AD credentials
in the Captive Portal and then get the same access as on her office computer. Her access to
resources is based on rules in the Firewall Rule Base.

Required SmartConsole Configuration

To make this scenario work, the IT administrator must:
1. Enable Identity Awareness Software Blade on a Security Gateway.
2. Select Browser-Based Authentication as one of the Identity Sources, and click Settings.
3. In the Portal Settings window in the User Access section, make sure that Name and password
login is selected.
4. Create a new rule in the Rule Base to let Linda Smith access network destinations. Select
accept as the Action.
5. Right-click the Action column and select More.
The Action Settings window opens.
6. Select Enable Identity Captive Portal.
7. Click OK.
8. From the Source of the rule, right-click to create an Access Role.
a) Enter a Name for the Access Role.
b) In the Users page, select Specific users and choose Linda Smith.
c) In the Machines page, make sure that Any machine is selected.
d) Click OK.
The Access Role is added to the rule.

Identity Awareness Administration Guide R80.10 | 100

 Identity Awareness Use Cases

Name Source Destination VPN Service Action Track

CEO Linda Smith Finance_Server Any http Accept (Enable Log
Access Traffi Identity
c Captive
Portal)

User Experience
Jennifer McHanry does these steps:
1. Browses to the Finance server from her iPad.
The Captive Portal opens because she is not identified and therefore cannot access the
Finance Server.
2. She enters her usual system credentials in the Captive Portal.
A Welcome to the network window opens.
3. She can successfully browse to the Finance server.

User Identification in the Logs

The log entry in the Logs tab of the Logs & Monitor view shows how the system recognizes Daniel
David from his iPad. This uses the identity acquired from Captive Portal.

Scenario: Guest Users from Unmanaged Device

Guests frequently come to the ACME company. While they visit, the CEO wants to let them access
the Internet on their own laptops.
Amy, the IT administrator configures the Captive Portal to let unregistered guests log in to the
portal to get network access. She makes a rule in the Rule Base to let unauthenticated guests
access the Internet only.

Identity Awareness Administration Guide R80.10 | 101

 Identity Awareness Use Cases

When guests browse to the Internet, the Captive Portal opens. Guests enter their name, company,
email address, and phone number in the portal. They then agree to the terms and conditions
written in a network access agreement. Afterwards, they are given access to the Internet for a
specified time.

Required SmartConsole Configuration

To make this scenario work, the IT administrator must:
1. Enable Identity Awareness Software Blade on a Security Gateway.
2. Select Browser-Based Authentication as one of the Identity Sources, and click Settings.
3. In the Portal Settings window in the Users Access section, make sure that Unregistered
guest login is selected.
4. Click Unregistered guest login - Settings.
5. In the Unregistered Guest Login Settings window, configure:
• The data guests must enter.
• For how long users can access the network resources.
• If a user agreement is required and its text.
6. Create an Access Role rule in the Rule Base, to let identified users access the Internet from
the organization:
a) Right-click Source and select Access Role.
b) In the Users tab, select All identified users.
7. Create an Access Role rule in the Rule Base, to let Unauthorized Guests access only the
Internet:
a) Right-click Source and select Access Role.
b) In the Users tab, select Specific users > Unauthenticated Guests.
c) Select accept as the Action.
d) Right-click the Action column and select Edit Properties.
The Action Properties window opens.
e) Select Enable Identity Captive Portal.
f) Click OK.

User Experience
From the perspective of a guest at ACME, she does these steps:
1. Browses to an internet site from her laptop.
The Captive Portal opens because she is not identified and therefore cannot access the
Internet.
2. She enters her identifying data in the Captive Portal and reads through and accepts a network
access agreement.
A Welcome to the network window opens.
3. She can successfully browse to the Internet for a specified time.

Identity Awareness Administration Guide R80.10 | 102

 Identity Awareness Use Cases

Acquiring Identities with Endpoint Identity Agents

Scenario: Endpoint Identity Agent Deployment and User Group
Access
The ACME organization wants to make sure that only the Finance department can access the
Finance Web server. The current Rule Base uses static IP addresses to define access for the
Finance department.
Amy, the IT administrator wants to leverage the use of Endpoint Identity Agents so:
• Finance users will automatically be authenticated one time with SSO when logging in (using
Kerberos, which is built-in into Microsoft Active Directory).
• Users that roam the organization will have continuous access to the Finance Web server.
• Access to the Finance Web server will be more secure by preventing IP spoofing attempts.
Amy wants Finance users to download the Endpoint Identity Agent from the Captive Portal. She
needs to configure:
• Endpoint Identity Agents as an identity source for Identity Awareness.
• Endpoint Identity Agent deployment for the Finance department group from the Captive Portal.
She needs to deploy the Full Endpoint Identity Agent so she can set the IP spoofing protection.
No configuration is necessary on the client for IP spoofing protection.
• A rule in the Rule Base with an Access Role for Finance users, from all managed computers
and from all locations with IP spoofing protection enabled.
After configuration and policy install, users that browse to the Finance Web server will get the
Captive Portal and can download the Endpoint Identity Agent.

User Experience
A Finance department user does this:
1. Browses to the Finance Web server.
The Captive Portal opens because the user is not identified and cannot access the server. A
link to download the Endpoint Identity Agent is shown.
2. The user clicks the link to download the Endpoint Identity Agent.
The user automatically connects to the Security Gateway. A window opens asking the user to
trust the server.
Note - The trust window opens because the user connects to the Identity Awareness Gateway,
with the File name based server discovery option. There are other server discovery methods,
which do not require user trust confirmation.
3. Click OK. The user automatically connects to the Finance Web server.
The user can successfully browse to the internet for a specified time.

Identity Awareness Administration Guide R80.10 | 103

 Identity Awareness Use Cases

Required SmartConsole Configuration

To make this scenario work, the IT administrator must:
1. Enable Identity Awareness Software Blade on a Security Gateway.
2. Select Endpoint Identity Agents and Browser-Based Authentication as Identity Sources.
3. Click the Browser-Based Authentication Settings button.
4. In the Portal Settings window in the Users Access section, select Name and password login.
5. In the Endpoint Identity Agent Deployment from the Portal, select Require users to download
and select Endpoint Identity Agent - Full option.
Note - This configures Endpoint Identity Agent for all users. Alternatively, you can set Endpoint
Identity Agent download for a specific group ("Configuring Endpoint Identity Agent Deployment
for User Groups" on page 56).
6. Configure Kerberos SSO.
7. Create a rule in the Firewall Rule Base that lets only Finance department users access the
Finance Web server and install the Access Policy:
a) From the Source of the rule, right-click to create an Access Role.
b) Enter a Name for the Access Role.
c) In the Networks tab, select Specific users and add the Active Directory Finance user group.
d) In the Users tab, select All identified users.
e) In the Machines tab, select All identified machines and select Enforce IP spoofing
protection (requires Full Endpoint Identity Agent).
f) Click OK.
The Access Role is added to the rule.
8. Install the Access Policy.

What's Next
Other options that can be configured for Endpoint Identity Agents:
• A method that determines how Endpoint Identity Agents connect to an Identity Awareness
Gateway and trusts it. In this scenario, the File Name server discovery method is used.
• Access Roles ("Creating Access Roles" on page 38) to leverage computer awareness.
• End user interface protection so users cannot access the client settings.
• Let users defer client installation for a set time and ask for user agreement confirmation. See
User Access (on page 54).

User Identification in the Logs

The log in the Logs & Monitor > Logs tab shows how the system recognizes a guest.
The log entry shows that the system maps the source IP address with the user identity. In this
case, the identity is "guest" because that is how the user is identified in the Captive Portal.

Identity Awareness Administration Guide R80.10 | 104

 Identity Awareness Use Cases

Acquiring Identities in a Terminal Server Environment

Scenario: Identifying Users Accessing the Internet through
Terminal Servers
The ACME organization defined a new policy that only allows users to access the internet through
Terminal Servers. The ACME organization wants to make sure that only the Sales department will
be able to access Facebook. The current Rule Base uses static IP addresses to define access for
Facebook, but now all connections are initiated from Terminal Server IP addresses.
Amy, the IT administrator wants to leverage the use of the Terminal Servers solution so that:
• Sales users will automatically be authenticated with Identity Awareness when logging in to the
Terminal Servers.
• All connections to the internet will be identified and logged.
• Access to Facebook will be restricted to the Sales department users.
To enable the Terminal Servers solution, Amy must:
• Configure Terminal Server/Citrix Identity Agents as an identity source for Identity Awareness.
• Install a Terminal Servers Identity Agent on each of the Terminal Servers.
• Configure a shared secret between the Terminal Servers Identity Agents and the gateway.
• After configuration and installation of the policy, users that log in to Terminal Servers and
browse to the internet will be identified and only Sales department users will be able to access
Facebook.

Identity Awareness Administration Guide R80.10 | 105

 Identity Awareness Use Cases

Acquiring Identities in Application Control

You can use the Identity Awareness and Application & URL Filtering together to add user
awareness, computer awareness, and application awareness to the Check Point Security Gateway.
They work together in these procedures:
• In the Access Control Policy Layer with the Application & URL Filtering Software Blade
enabled, use Identity Awareness Access Roles rules as the source of the rule.
• You can use all the types of identity sources to acquire identities of users who try to access
applications.
• In logs and events, you can see, which user and IP address accesses which applications.

Scenario: Identifying Users in Application Control Logs

The ACME organization wants to use Identity Awareness to monitor outbound application traffic
and learn what their employees are doing. To do this, the IT administrator must enable Application
Control and Identity Awareness. Identity information for the traffic then shows in the logs and
events. See the logs in the Logs & Monitor > Logs tab. See the events in the Logs & Monitor views,
in the Access Control categories.
Next, the IT department can add rules to block specific applications or track them differently in
the Application & URL Filtering Layer of the policy to make it even more effective. See the R80.10
Next Generation Security Gateway Guide
http://downloads.checkpoint.com/dc/download.htm?ID=54806.

Required SmartConsole Configuration

To make this scenario work, the IT administrator must:
1. Enable the Application Control blade on a Security Gateway.
This adds a default rule to the Application Control Rule Base that allows traffic from known
applications, with the tracking set to Log.
2. Enable Identity Awareness on a Security Gateway, selects AD Query as one of the Identity
Sources.
3. Install the Access Policy.

User Identification in the Logs

You can see data for identified users in the Logs and Events that relate to application traffic. See
Logs in the Logs & Monitor view Logs tab. See Events in the Logs & Monitor Access Control views.
The log entry shows that the system maps the source IP address with the user identity. It also
shows Application Control data.

Identity Awareness Administration Guide R80.10 | 106

CHAPTE R 6

Configuring Identity Logging for a Log

Server
In This Section:
Enabling Identity Awareness on the Log Server for Identity Logging .....................107
Install Database for a Log Server ..............................................................................109
WMI Performance .......................................................................................................109

When you enable Identity Awareness on a Log Server, you add user and computer identification to
Check Point logs. Administrators can then analyze network traffic and security-related events
better.
The Log Server communicates with Active Directory servers. The Log Server stores the data
extracted from the AD in an association map. When Security Gateways generate a Check Point log
entry and send it to the Log Server, the server gets the user and computer name from the
association map entry that corresponds to the source IP address of the event log. It then adds this
identity aware information to the log.

Enabling Identity Awareness on the Log Server for

Identity Logging
Before you enable Identity Awareness on the Log Server for identity logging:
• Make sure there is network connectivity between the Log Server and the domain controller of
your Active Directory environment.
• Get the Active Directory administrator credentials.

To enable Identity Awareness on the Log Server for logging:

1. Log in to SmartConsole.
2. From the Navigation Toolbar, click Gateways & Servers.
3. Open the Log Server object.
4. In the General Properties page, in the Management section, select Logging & Status and
Identity Awareness.
The Identity Awareness Configuration wizard opens.
5. On the Acquire Identities For Logs window, click Next.
6. On the Integration With Active Directory page, select or configure an Active Directory Domain.
a) From the Select an Active Directory list, select the Active Directory to configure from the
list that shows configured LDAP Account Units or create a new domain. If you have not set
up Active Directory, you need to enter a domain name, username, password and domain
controller credentials.
When the SmartConsole client computer is part of the AD domain, SmartConsole suggests
this domain automatically. If you select this domain, the system creates an LDAP Account
Unit with all of the domain controllers in the organization's Active Directory.

Identity Awareness Administration Guide R80.10 | 107

 Configuring Identity Logging for a Log Server

b) Enter the Active Directory credentials and click Connect to verify the credentials.
Important - For AD Query you must enter domain administrator credentials. For
Browser-Based Authentication standard credentials are sufficient.
c) If you selected Browser-Based Authentication or Terminal Servers, or do not wish to
configure Active Directory, select I do not wish to configure Active Directory at this time
and click Next.
Best Practice - We highly recommend that you go to the LDAP Account Unit and make sure
that only necessary domain controllers are in the list. If AD Query is not required to operate
with some of the domain controllers, delete them from the LDAP Servers list.
With the Identity Awareness configuration wizard, you can use existing LDAP Account units or
create a new one for one AD domain.
If the SmartConsole computer is part of the domain, the Wizard fetches all the domain
controllers of the domain and all of the domain controllers are configured.
If you create a new domain, and the SmartConsole computer is not part of the domain, the
LDAP Account Unit that the system creates contains only the domain controller you set
manually. If it is necessary for AD Query to fetch data from other domain controllers, you must
add them later manually to the LDAP Servers list after you complete the wizard.
To view/edit the LDAP Account Unit object, open Object Explorer (Ctrl + E), and select Servers
> LDAP Account units in the Categories tree.
The LDAP Account Unit name syntax is: <domain name>__AD
For example, CORP.ACME.COM__AD.
7. Click Next.
8. The Identity Awareness is Now Active page opens with a summary of the acquisition methods.
9. Click Finish.
10. Optional: In the Log Server object, go to the Identity Awareness page and configure the
applicable settings.
11. Click OK.
12. Install the database:
a) From SmartConsole, go to Menu > click Install database.
b) The Install Database window appears.
c) Select all Check Point objects, on which to install the database.
d) In the Install database window, click Install.
e) In the SmartConsole window, click Publish & Install.
f) The operation should end with the message Install Database on XXX Succeeded.

Identity Awareness Administration Guide R80.10 | 108

 Configuring Identity Logging for a Log Server

Install Database for a Log Server

If you have configured Identity Awareness for a Log Server, but do not see identities in logs, make
sure you installed the database.

To install the database:

1. From SmartConsole, go to Menu > Install database...
The Install Database window appears.
2. Select all Check Point object, on which to install the database.
3. Click OK.
4. Click Close when done.

WMI Performance
Bandwidth between the Log Server and Active Directory Domain Controllers
The amount of data transferred between the Log Server and domain controllers depends on the
amount of events generated. The generated events include event logs and authentication events.
The amounts vary according to the applications running in the network. Programs that have many
authentication requests result in a larger amount of logs. The observed bandwidth range varies
between 0.1 to 0.25 Mbps per each 1000 users.

CPU Impact
When using AD Query, the impact on the domain controller CPU is less than 3%.

Identity Awareness Administration Guide R80.10 | 109

CHAPTE R 7

Identity Awareness Deployment

In This Section:
Identity Sharing ...........................................................................................................110
Configuring Identity Awareness for a Domain Forest (Subdomains) ......................110
Non-English Language Support ................................................................................111
Nested Groups ..........................................................................................................112

Identity Sharing
Best Practice - In environments that use many Security Gateways and AD Query, we recommend
that you set only one Security Gateway to acquire identities from a given Active Directory domain
controller for each physical site. If more than one Security Gateway gets identities from the same
AD server, the AD server can become overloaded with WMI queries.
Set these options on the Identity Awareness > Identity Sharing page of the Security Gateway
object:
• One Security Gateway to share identities with other Security Gateways. This is the Security
Gateway that gets identities from a given domain controller.
• All other Security Gateways to get identities from the Security Gateway that acquires identities
from the given domain controller.
The Deployment Scenarios (on page 115) section has more details.

Configuring Identity Awareness for a Domain Forest

(Subdomains)
Create a separate LDAP Account Unit for each domain in the forest (subdomain). You cannot add
domain controllers from two different subdomains into the same LDAP Account Unit.
You can use the Identity Awareness Configuration Wizard to define one subdomain. This
automatically creates an LDAP Account Unit that you can easily configure for more settings. You
must manually create all other domains that you want Identity Awareness to relate to, from
Servers and OPSEC in the Objects tree > Servers > New > LDAP Account Unit.

Identity Awareness Administration Guide R80.10 | 110

 Identity Awareness Deployment

When you create an LDAP Account Unit for each domain in the forest:
1. Make sure the username is one of these:
• A Domain administrator account that is a member of the Domain Admins group in the
subdomain. Enter the username as subdomain\user.
• An Enterprise administrator account that is a member of the Enterprise Admins group in
the domain. If you use an Enterprise administrator, enter the username as domain\user.
For example, if the domain is ACME.COM, the subdomain is SUB.ACME.COM, and the
administrator is John_Doe:
If the admin is a Domain administrator, Username is: SUB.ACME.COM\John_Doe
If the admin is an Enterprise administrator, Username is: ACME.COM\John_Doe
Note - In the wizard, this is the Username field. In the LDAP Account Unit, go to LDAP
Server Properties tab > Add > Username.
2. In LDAP Server Properties tab > Add > Login DN, add the login DN.
3. In Objects Management tab > Branches in use, edit the base DN
from: DC=DOMAIN_NAME,DC=DOMAIN_SUFFIX
to: DC=SUB_DOMAIN_NAME,DC=DOMAIN_NAME,DC=DOMAIN_SUFFIX
For example, change DC=ACME,DC=local to DC=SUB,DC=ACME,DC=local

Non-English Language Support

To support non-English user names on an Identity Awareness Gateway, you must set a parameter
in the LDAP Account Unit object in SmartConsole.
It is not necessary to set this parameter when you enable Identity Awareness on the Security
Management Server or Log Server.

To set non-English language support:

1. In SmartConsole, click Open Object Explorer (Ctrl+E).
2. From the Categories tree, select Servers > LDAP Account Unit and select the LDAP Account
Unit.
3. In the General tab of the LDAP Account Unit, make sure Enable Unicode support. is selected.
It is selected by default.
4. Click OK.

Identity Awareness Administration Guide R80.10 | 111

 Identity Awareness Deployment

Nested Groups
Identity Awareness supports the use of LDAP nested groups. When a group is nested in another
group, users in the nested group are identified as part of the parent group. For example, if you
make Group_B a member of Group_A, Group_B members will be identified by Identity Awareness
as being part of Group A.
There are three ways to configure nested group queries:
• Recursive nested groups - The gateway sends a query with the user name to the LDAP server.
The server finds the groups that the user is a member of and sends it to the gateway. To know
if a group is nested in another group, and for each nesting level, you must send a new query.
This feature is enabled by default. The default nesting depth is configured to 20. For details,
see sk66561 http://supportcontent.checkpoint.com/solutions?id=sk66561.
• Per-user nested groups - With one LDAP query, the response includes all groups for the given
user, with all nesting levels. The server sends the groups of a given user as a flat list.
• Multi per-group nested groups - The gateway sends one LDAP query, which includes the user
name and the group. The server responds if the user is in this group or not. Best Practice -
Use this configuration for Microsoft Active Directory environment with many defined users and
groups, and less groups defined in SmartConsole.

Configuring Nested Groups Query Options

You configure the nested group query options through the Security Gateway CLI:

Command Description
pdp nested_groups status Shows status

pdp nested_groups __set_state 1 Sets recursive nested groups (like R.77x)

pdp nested_groups __set_state 2 Sets per-user nested groups

pdp nested_groups __set_state 3 Sets multi per-group nested groups

Identity Awareness Administration Guide R80.10 | 112

CHAPTE R 8

Advanced Identity Awareness

Deployment
In This Section:
Introduction to Advanced Identity Awareness Deployment ...................................113
Deployment Options ...................................................................................................114
Deploying a Test Environment ...................................................................................114
Deployment Scenarios ...............................................................................................115

Introduction to Advanced Identity Awareness

Deployment
Deploy Check Point Identity Awareness enabled Security Gateways for better security for your
network environment and corporate data. This section describes recommended deployments with
Identity Awareness.
Important - NAT between two Identity Awareness Security Gateways that share data with each
other is not supported.
• Perimeter Security Gateway with Identity Awareness – This deployment is the most common
scenario. Deploy the Security Gateway at the perimeter where it protects access to the DMZ
and the internal network. The perimeter Security Gateway also controls and inspects internal
traffic going to the Internet. In this deployment, create an identity-based Access Control Policy.
• Data Center protection – If you have a Data Center or server farm separated from the users'
network, protect access to the servers with the Security Gateway. Deploy the Security Gateway
in front of the Data Center. All traffic is inspected by the Security Gateway. Control access to
resources and applications with an identity-based access policy. Deploy the Security Gateway
in bridge mode to protect the Data Center without significant changes to the existing network
infrastructure.
• Large scale enterprise deployment – In large networks, deploy multiple Security Gateways.
For example: deploy a perimeter Firewall and multiple Data Centers. Install an identity-based
policy on all Identity Awareness Security Gateways. The Security Gateways share user and
computer data of the complete environment.
• Network segregation – The Security Gateway helps you migrate or design internal network
segregation. Identity Awareness lets you control access between different segments in the
network with an identity-based policy. Deploy the Security Gateway close to the access
network to avoid malware threats and unauthorized access to general resources in the global
network.
• Distributed enterprise with branch offices – For an enterprise with remote branch offices
connected to the headquarters with VPN, deploy the Security Gateway at the remote branch
offices. When you enable Identity Awareness on the branch office Security Gateway, users are
authenticated before they reach internal resources. The identity data on the branch office
Security Gateway is shared with other Security Gateways to avoid unnecessary authentication.

Identity Awareness Administration Guide R80.10 | 113

 Advanced Identity Awareness Deployment

• Wireless campus – Wireless networks have built-in security challenges. To give access to
wireless-enabled corporate devices and guests, deploy Identity Awareness Security Gateways
in front of the wireless switch. Install an Identity Awareness policy. The Security Gateways give
guest access after authentication in the web Captive Portal, and then they inspect the traffic
from WLAN users.

Deployment Options
You can deploy an Identity Awareness Gateway in two different network options:
• IP routing mode
• Transparent mode (bridge mode)
IP routing mode - This is a regular and standard method used to deploy Identity Awareness
Gateways. You usually use this mode when you deploy the Identity Awareness Gateway at the
perimeter. In this case, the Identity Awareness Gateway behaves as an IP router that inspects and
forwards traffic from the internal interface to the external interface and vice versa. Both
interfaces should be located and configured using different network subnets and ranges.
Transparent mode - Known also as a "bridge mode". This deployment method lets you install the
Identity Awareness Gateway as a Layer 2 device, rather than an IP router. The benefit of this
method is that it does not require any changes in the network infrastructure. It lets you deploy the
Identity Awareness Gateway inline in the same subnet. This deployment option is mostly suitable
when you must deploy an Identity Awareness Gateway for network segregation and Data Center
protection purposes.

Deploying a Test Environment

Best Practice - If you want to evaluate how Identity Awareness operates in a Security Gateway, we
recommend that you deploy it in a simple environment. The recommended test setup below gives
you the ability to test all identity sources and create an identity-based Policy.
The recommendation is to install 3 main components in the setup:
1. User host (Windows)
2. Check Point Security Gateway R75.20 or higher
3. Microsoft Windows server with Active Directory, DNS and IIS (Web resource)
Deploy the Security Gateway in front of the protected resource, the Windows server that runs IIS
(web server). The user host computer will access the protected resource via the Security Gateway.

Testing Endpoint Identity Agents

Enable and configure Identity Agents, and configure Identity Agents self-provisioning through
Captive Portal ("Configuring Endpoint Identity Agent Deployment from Captive Portal" on page 56).
1. Open a browser and connect to the web resource. You are redirected to the Captive Portal.
2. Enter user credentials.
3. Install the client as requested by the Captive Portal.
When the client is installed wait for an authentication pop-up to enter the user credentials
through the client.
4. Test connectivity.

Identity Awareness Administration Guide R80.10 | 114

 Advanced Identity Awareness Deployment

Deployment Scenarios
Perimeter Identity Awareness Gateway
Security Challenge
The Security Gateway at the perimeter behaves as a main gate for all incoming and outgoing
traffic to and from your corporate network. Users in internal networks access the Internet
resource and applications daily. Not all Internet applications and web sites are secure and some
are restricted according to corporate policy. If you block all internal access, it will affect
productivity of employees that must have access as part of their daily work definition. You can
control access to allowed applications with the Application Control blade. However, you require a
more granular access policy for user and computer identity.
Access roles let you configure an identity aware policy with Application Control, to allow access
only to specified user groups to the applications on the Internet.
Enable Identity Awareness on the perimeter Security Gateway.

Deployment scenario
1. Deploy the Security Gateway at the perimeter in routing mode and define an external interface
towards the ISP (the Internet) and an internal interface points to the internal corporate
network LAN.
Optional: you can define another internal interface, which protects DMZ servers.
2. Make sure there are no NAT or Proxy servers between the gateway and your network.
Best Practice - We recommend that the Proxy server be in the DMZ network.
3. Check that the Security Gateway has connectivity to the internal AD domain controllers.
4. Make sure that users can reach the internal interface of the Security Gateway.
5. Configure the Application Control blade.
See the R80.10 Next Generation Security Gateway Administration Guide
http://downloads.checkpoint.com/dc/download.htm?ID=54806.
6. If you have several perimeter Security Gateways leading to the Internet, we recommend that
you manage these Security Gateways with one Security Management Server and
SmartConsole to deploy the relevant security policy.

Configuration
1. Enable Identity Awareness and select the appropriate identity sources.
2. Create Access Roles based on users and computers. You can create multiple Access Roles
that represent different departments, user and computer groups and their location in the
network.
3. Add the Access Roles to the source column of the relevant Firewall and application control
policies.

Identity Awareness Administration Guide R80.10 | 115

 Advanced Identity Awareness Deployment

This is a sample diagram for a small to medium corporate headquarters.

Item Description
1 Corporate data center

2 Identity Awareness Gateway protects the data center

3 Perimeter Identity Awareness Gateway

User IDs are sent to the gateway that protects the data center

4 Internal network resources

5 LDAP server (for example Active Directory)

6 Internet

Data Center Protection

Security Challenge
The Data Center contains sensitive corporate resources and information that you must securely
protect from unauthorized access. You must also protect it from malwares and viruses that can
harm databases and steal corporate information. Access to the Data Center and particularly to
certain applications must be granted only to compliant users and computers.

Deployment Scenario
1. Deploy the Security Gateway inline in front of the Date Center core switch, protecting access to
the Data Center from the LAN.
2. Best Practice - We recommend that you deploy the Security Gateway in the bridge mode, to
avoid any changes in the network. However, IP routing mode is also supported.
3. Define at least two interfaces on the Security Gateway and configure them to be internal or
bridged.
4. Make sure that the Security Gateway has connectivity to the Active Directory and all relevant
internal domain controllers in the network (LAN).
5. Make sure that users from the LAN can connect to the Data Center through the Security
Gateway with an "Any Any Accept" policy.

Identity Awareness Administration Guide R80.10 | 116

 Advanced Identity Awareness Deployment

6. Make sure that you do not have a proxy or NAT device between the Security Gateway and users
or the LAN.

Configuration
1. Enable Identity Awareness on the Security Gateway and select identity sources.
2. Create Access Roles for users and apply the Access Roles to relevant Access Control Policy
rules.

Large Scale Enterprise Deployment

Security Challenge
In complex large-scale enterprise networks, you must control access from the local network to
the Internet and to multiple Data Center resources. The Data Center contains sensitive corporate
resources and information that must be securely protected from unauthorized access. Grant
access only to policy-compliant users and computers. Protect your network and Data Center from
malware, bots, and viruses.
Users in the internal networks access Internet resources and applications daily. Not all Internet
applications and web sites are secure, and some are restricted by the corporate policy. If you
block all internal access, it will affect productivity of employees who must have access in the
context of their daily work definition. You can control access to the allowed applications with the
Application Control blade. If you require a granular access policy based on user and computer
identity, use Access Roles with Application Control.

Deployment Scenario
1. Deploy or use existing Security Gateways at the perimeter and in front of the Data Center.
2. Install the Security Gateway at the perimeter in routing mode, and use at least one external
interface to the Internet and one to the internal network (define it as an internal interface).
3. Deploy the Security Gateway as an inline device in front of the Data Center in bridge mode to
avoid network changes. This is not required, but is recommended. Nonetheless, IP routing
mode is also supported.
4. Make sure that all Security Gateways in the Data Centers and perimeter can communicate
directly with each other.
5. Best Practice - We recommend that you manage the Security Gateway from one Security
Management Server and SmartConsole.
6. Make sure that there is connectivity from each Security Gateway to the Active Directory
internal domain controllers.
7. Make sure that in an "Any Any Accept" Policy, users from the LAN can connect to the desired
resources.
8. Make sure there are no NAT or Proxy servers between the gateway and your network. Best
Practice - We recommend that you put your Proxy server in the DMZ network.

Configuration
1. Enable Identity Awareness on the Security Gateway.
2. Choose the identity source method for each Security Gateway, at the perimeter and at the Data
Center.
3. Create Access Roles for users, and apply Access Roles to the applicable Firewall security
rules.
4. Add Access Roles to the Policy.
Identity Awareness Administration Guide R80.10 | 117
 Advanced Identity Awareness Deployment

5. In the Gateway Properties > Identity Awareness tab, select Share local identities with other
gateways.
6. Install the Policy on the perimeter Security Gateway.

Item Description
1 Corporate data centers

2 Identity Awareness Gateway protects the data center

3 Perimeter Identity Awareness Gateway

User IDs are sent to the gateways that protect the data centers

4 Internal network resources

5 LDAP server (for example Active Directory)

6 Internet

Best Practice - AD Query Recommended Configuration

When you enable AD Query to obtain user and computer identity, we recommend that you enable
the feature on all Security Gateways that participate in the network environment. All Security
Gateways should have the Active Directory domain defined with the list of all applicable domain
controllers in the internal network.

Best Practice - Endpoint Identity Agents Recommended Configuration

If you choose to use Endpoint Identity Agents to authenticate users and computers, you have to
select the Security Gateway that will be used to maintain Endpoint Identity Agents.
For a single Data Center and perimeter Security Gateway, we recommend that you define Endpoint
Identity Agents that connect to a single Security Gateway. Then the identity obtained by the
Security Gateway is shared with the other Security Gateways in the network. Select a high capacity
/ performance Security Gateway, which can also behave as an authentication server, and configure
this Security Gateway’s IP / DNS on the Endpoint Identity Agents (see Endpoint Identity Agents
section).

Identity Awareness Administration Guide R80.10 | 118

 Advanced Identity Awareness Deployment

For complex multi Data Center environments, where there are several Security Gateways that
protect different Data Centers and the perimeter, we recommend that you balance Endpoint
Identity Agents authentication using different Security Gateways. You can configure a list of
Security Gateways in the Endpoint Identity Agent settings, where the Endpoint Identity Agent will
connect to different Security Gateways. This provides load balancing across the Security
Gateways. Identities learned from the agents are shared between all Security Gateways in the
network.

To define a list of Security Gateways, between which identity information is shared:

1. Open Gateway properties > Identity Awareness.
2. Select Get identities from other gateways.
3. Select the Security Gateways with the identities.

Network Segregation
Security Challenge
Networks consist of different network segments and subnets where your internal users reside.
Users that connect to the network can potentially spread viruses and malwares across the
network that can infect other computers and servers on the network. You want to make sure that
only compliant users and computers can pass and connect across multiple network segments, as
well as authenticate users connecting to the servers and the Internet.

Deployment scenario
• Best Practice - We recommend that you deploy Security Gateways close to access networks
before the core switch.
• Access between the segments is controlled by the Security Gateway.
• Access between the LAN and Data Center is controlled by the Security Gateway.
• Access between the LAN and the Internet is controlled by the Security Gateways either at each
segment or at the perimeter Security Gateway.
• Best Practice - We recommend that you deploy the Security Gateway in bridge mode to avoid
network and routing changes.
• Each Security Gateway of a particular segment authenticates users with the selected method.
• Share identities learned from the segment Security Gateways with the perimeter Firewall to
create an outgoing traffic Firewall policy or use an Application Control policy as well.

Configuration
1. Deploy Security Gateways in each segment in bridge mode.
2. Make sure that there is no proxy or NAT device between the Security Gateways and the LAN.
3. Make sure that the Security Gateways can communicate with the Active Directory domain
controller deployed in each segment (replicated domain controllers).
If there is a general domain controller that serves all users across the segments, make sure
that all Security Gateways can connect to this domain controller.
4. Enable Identity Awareness on each Security Gateway and select an appropriate identity source
method.

Identity Awareness Administration Guide R80.10 | 119

 Advanced Identity Awareness Deployment

5. In the Identity Awareness tab, clear the Share local identities with other gateways option.
If you want to share identities with one Security Gateway, for example, the perimeter Security
Gateway, keep this option selected and disable Get identities from other gateways in the
segment Security Gateway. Then go to the perimeter Security Gateway and select Get
identities from other gateways.
6. If you want to use Endpoint Identity Agents, then define the particular Security Gateway DNS/IP
in the agent Security Gateway configuration per access segment.

Distributed Enterprise with Branch Offices

Security Challenge
In distributed enterprises, there is a potential risk of malware and viruses spreading from remote
branch offices over VPN links to the corporate internal networks. There is also a challenge of how
to provide authorized access to users that come from remote branch offices that request and want
to access the Data Center and the Internet.

Deployment Scenario
1. Best Practice - We recommend that you deploy Security Gateways at the remote branch
offices and at headquarters in front of the Data Center and at the perimeter.
2. At remote branch offices, you can deploy low capacity Security Gateways due to a relatively low
number of users.
Deploy the remote branch Security Gateways in IP routing mode and have them function as a
perimeter Firewall and VPN gateway, establishing a VPN link to the corporate Security
Gateways.
3. Best Practice - At the corporate headquarters, we recommend that you deploy Data Center
Security Gateways to protect access to Data Center resources and applications, as well as a
perimeter Security Gateway. You can install the Data Center Security Gateway in bridge mode
to avoid changes to the existing network.
4. In this scenario, users from the branch office are identified by the local branch office Security
Gateway before connecting to the corporate network over VPN.
5. The identities learned by the branch office Security Gateways are then shared with the
headquarters' internal and perimeter Security Gateways. When a user from a branch office
attempts to connect to the Data Center, the user is identified by the Security Gateway at the
headquarters Data Center without the need for additional authentication.

Identity Awareness Administration Guide R80.10 | 120

 Advanced Identity Awareness Deployment

Item Description
1 Internal network resources - branch office

2 Branch Identity Awareness Gateway

User IDs are sent to the corporate gateways

3 LDAP server (for example Active Directory)

4 Internet

5 Perimeter corporate Identity Awareness Gateway

6 Identity Awareness Gateway that protects the data center

7 Corporate data center

8 Internal network resources - corporate office

Configuration
1. Select a Security Gateway according to a performance guideline for your remote branch
offices.
2. Deploy the Security Gateways at the branch offices in routing mode. Define VPN site-to-site if
necessary.
3. Deploy Security Gateways inline at the Data Center. We recommend using bridge mode.
4. Deploy a Security Gateway at the perimeter that protects the internal network in routing mode.
The perimeter Security Gateway can serve as a VPN Security Gateway for branch offices as
well.
5. If you have Active Directory domain controllers replicated across your branch offices make
sure that local Security Gateways can communicate with the domain controller. In case you do
not have a local domain controller, make sure that the Security Gateways can access the
headquarters' internal domain controller over VPN.
6. Enable Identity Awareness and select the appropriate methods to get identity.
7. Create an Access Role and apply the roles in the security policy on the branch office Security
Gateways, perimeter and Data Center Security Gateway.
8. Share identities between the branch offices with the headquarter and Data Center Security
Gateways. In the Identity Awareness tab, select Get identities from other gateways and Share
local identities with other gateways.

Best Practice - AD Query Recommended Configuration

When you use AD Query to authenticate users from the local and branch offices, we recommend
that you only configure a local domain controller list per site in the relevant Security Gateways.
For example, if you have a branch office Security Gateway and a Data Center Security Gateway,
enable AD Query on all Security Gateways. On the branch office Security Gateway, select the Active
Directory domain controllers replications installed in the branch office only. On the Data Center
Security Gateway, configure a list of domain controllers installed in the internal headquarters
network.
It is not necessary to configure all domain controllers available in the network, since the identity
information is shared between branch and internal Security Gateways accordingly.

Identity Awareness Administration Guide R80.10 | 121

 Advanced Identity Awareness Deployment

Best Practice - Endpoint Identity Agents Recommended Configuration

When using Endpoint Identity Agents, we recommend that you configure the local branch office
Security Gateway DNS/IP on the agent. The agents connect to the local Security Gateway and the
user is authenticated, identities are shared with the internal headquarter Security Gateways.

Wireless Campus
Security Challenge
You use wireless networks to grant access to employees that use Wi-Fi enabled devices, guests
and contractors. Guests and contractors in some cases cannot use the corporate wired network
connection and must connect through WLAN. Furthermore, it is not intended for guests and
contractors to install any endpoint agents on their devices.
Wireless access is also intensively used to connect mobile devices such as smartphones where
agents can be installed. These devices are not part of the Active Directory domain. Wireless
networks do not give a desired level of security in terms of network access.

Deployment Scenario
1. Deploy the Security Gateway in bridge mode in front of the Wireless Switch.
2. Make sure that the Security Gateway can access the Internet or any other required resource in
the network.
3. Make sure that the Security Gateway can communicate with the authentication server, such as
Active Directory or RADIUS.
4. Check that there is no NAT or proxy device between the Security Gateway and the WLAN
network.

Configuration
1. Enable Identity Awareness on the Security Gateway.
2. Select Browser-Based Authentication as an identity source.
3. In the Gateway properties > Identity Awareness tab > Browser-Based Authentication Settings,
select Unregistered guests login and in Settings, select the fields you want guests to fill when
they register.
4. Select Log out users when they close the portal browser.

Dedicated Identity Acquisition Security Gateway

Security Challenge
You have several Security Gateways that protect the Data Center or Internet access where access
is based on identity acquisition. The Security Gateways run different blades and deal with heavy
traffic inspection.
To avoid an impact on performance of the Security Gateways in terms of user identity acquisition
and authentication, it is possible to offload this functionality to a separate Security Gateway. The
dedicated Security Gateway is responsible for acquiring user identity, performing authentication
and sharing learned identities with all Security Gateways in the network.

Identity Awareness Administration Guide R80.10 | 122

 Advanced Identity Awareness Deployment

Deployment Scenario
In this deployment scenario, you have to choose an appropriate appliance to deploy as the
dedicated Identity Awareness enabled Security Gateway. All users authenticate with this Security
Gateway.
If you enable AD Query, the dedicated Security Gateway should communicate with all Active
Directory domain controllers over WMI.
1. On the dedicated identity acquisition Security Gateway, enable the Identity Awareness feature
and select the identity method.
2. On the Security Gateways, enable Identity Awareness and select Get identities from other
gateways and Share local identities with other gateways.

Item Description
1 Internal network resources

2 Security Gateway with Identity Awareness that protects the internal network
User IDs are sent to the corporate gateways

3 Corporate data center

4 Security Gateway with Identity Awareness that protects the data center

5 LDAP server (for example Active Directory)

6 Dedicated Identity Awareness Security Gateway

7 Perimeter corporate Security Gateway with Identity Awareness

8 Internet

Identity Awareness Administration Guide R80.10 | 123

CHAPTE R 9

Advanced Browser-Based
Authentication Configuration
In This Section:
Customizing Text Strings ...........................................................................................124
Adding a New Language .............................................................................................126
Server Certificates ......................................................................................................129
Transparent Kerberos Authentication Configuration ...............................................132

Customizing Text Strings

You can customize some aspects of the web interface. This includes changes to the text strings
shown on the Captive Portal Network Login page. You can make changes to the default English
language or edit files to show text strings in other languages.
You can change English text that is shown on the Captive Portal to different English text through
the SmartConsole. The changes are saved in the database and can be upgraded.
To configure other languages to show text strings in a specified language on the Captive Portal,
you must configure language files. These language files are saved on the Security Gateway and
cannot be upgraded. If you upgrade the Security Gateway, these files must be configured again.
To help you understand what each string ID means, you can set the Captive Portal to String ID
Help Mode. This mode lets you view the string IDs used for the text captions.

Setting Captive Portal to String ID Help Mode

To set the Captive Portal to String ID Help mode:
1. On the Security Gateway, open the file:
/opt/CPNacPortal/phpincs/utils/L10N.php
2. Replace the line // return $stringID; with return $stringID;
(delete the two backslashes that you see before the text return $stringID).
3. Reload the Captive Portal in your web browser.
The Captive Portal opens showing the string IDs.
4. To revert to regular viewing mode, open the file L10N.php and put backslashes before the
text return #stringID. See the highlighted text in step number 2 above.

Changing Portal Text in SmartConsole

To change the text that shows in SmartConsole:
1. In SmartConsole, go to Menu > Global properties...
2. In the left navigation tree, click Advanced > Configure...
3. Go to Identity Awareness > Portal Texts.

Identity Awareness Administration Guide R80.10 | 124

 Advanced Browser-Based Authentication Configuration

4. Delete the word DEFAULT and type the new English text in the required field.
5. Click OK.
6. Install the policy.

Identity Awareness Administration Guide R80.10 | 125

 Advanced Browser-Based Authentication Configuration

Adding a New Language

You can configure the Captive Portal to show the Network Login pages in different languages.
After you set the language selection list, users can choose the language they prefer to log in with
from a list at the bottom of the page.

To configure a language for Captive Portal you must:

1. Edit the language array for the new language locale.
2. Use the English language file as a template to create new language files. Then translate the
strings in the new language file.
3. Save the files with UTF-8 encoding and move them to the correct location.
4. Set the language selection list to show on the Network Login page.
5. Make sure the text strings are shown correctly.

Editing the Language Array

The supported language file contains entries for languages that you can see in the list on the
Captive Portal page.
By default, English is the only language entry in the list. It has a corresponding language file. For
each new language, you must create an entry in the supported languages file and create a new
language file.

To create a new language, add an entry to the supported languages file:

1. Open the file:
/opt/CPNacPortal/phpincs/conf/L10N/supportedLanguages.php
2. In the $arLanguages array, create a new locale entry with the syntax: "xx_XX" =>
"XName".
For example: "de_DE" => "German".

To disable a language:
Comment out the line of the specific language or delete the line.

Creating New Language Files

To create new language files, use the English language file (portal_en_US.php) as a template
and refer to it for the source language. The file contains the message strings. It is not necessary
to translate all strings, but you must include all strings in the new language file.
When you translate a string, make sure that the string's length is almost the same in size as the
initial English string. This is important to prevent breaks in the page layout. If this is not possible,
consult with technical support.
You cannot use HTML special character sequences such as &nbsp; / &lt; / &gt in the
translated strings.

Identity Awareness Administration Guide R80.10 | 126

 Advanced Browser-Based Authentication Configuration

To create a new language file:

1. Make a copy of the English language file:
/opt/CPNacPortal/phpincs/conf/L10N/portal_en_US.php
2. Rename it to the new language using the syntax portal_xx_XX.php.
For example, portal_de_DE.php
3. Translate the strings in the new language file.
4. Make sure that the read permissions for the new language file are the same as those for the
original language file. Run this command to set the permissions for read and write:
chmod 666 <file name>.

Saving New Language Files

You must save the language file with UTF-8 encoding.

To save a file with UTF-8 encoding:

1. Use Notepad, Microsoft Word or a different editor to save the file with UTF-8 encoding. When
using Microsoft Word, save the file as a '.txt' file with UTF-8 as the encoding method and
rename it to portal_xx_XX.php. For example: portal_de_DE.php.
2. Move the file to /opt/CPNacPortal/phpincs/conf/L10N if it is not already there.

Showing the Language Selection List

When you only use the English language, the language selection list does not show at the bottom
of the Captive Portal Network Login page. When you configure additional languages, you must
show the language selection list on the Network Login page. Captive Portal users can then select
the language, with which to log in.

To see the language list on the Network Login page:

1. On the Security Gateway, open the file:
/opt/CPNacPortal/phpincs/view/html/Authentication.php
2. Back up the file (for possible future revert).
3. In <label for="language_selection">, remove the lines that start with <?PHP /* and
end with */ ?>

Identity Awareness Administration Guide R80.10 | 127

 Advanced Browser-Based Authentication Configuration

The lines to remove are in the square:

4. Save the file.

The language selection list will show on the Network Login page.
To revert to not showing the language selection list, replace the current file with the backup of the
original file.

Making Sure the Strings Show Correctly

To make sure the strings show correctly:
1. Browse to the Captive Portal and select the new language.
2. Browse from different operating systems with different locale setups.
3. Make sure that the text is shown correctly on the Captive Portal pages.
4. Browse to the Captive Portal from a different browser and use a different font size.

Identity Awareness Administration Guide R80.10 | 128

 Advanced Browser-Based Authentication Configuration

Server Certificates
For secure SSL communication, gateways must establish trust with endpoint computers by
showing a Server Certificate. This section discusses the procedures necessary to generate and
install server certificates.
Check Point gateways, by default, use a certificate created by the Internal Certificate Authority on
the Security Management Server as their server certificate. Browsers do not trust this certificate.
When an endpoint computer tries to connect to the gateway with the default certificate, certificate
warning messages open in the browser. To prevent these warnings, the administrator must install
a server certificate signed by a trusted certificate authority.
All portals on the same Security Gateway IP address use the same certificate.

Obtaining and Installing a Trusted Server Certificate

To be accepted by an endpoint computer without a warning, gateways must have a server
certificate signed by a known certificate authority (such as Entrust, VeriSign or Thawte). This
certificate can be issued directly to the gateway, or be a chained certificate that has a certification
path to a trusted root certificate authority (CA).
The next sections describe how to get a certificate for a gateway that is signed by a known
Certificate Authority (CA).

Generating the Certificate Signing Request

First, generate a Certificate Signing Request (CSR). The CSR is for a server certificate, because
the gateway acts as a server to the clients.
Note - This procedure creates private key files. If private key files with the same names already
exist on the computer, they are overwritten without warning.
1. From the gateway command line, log in to expert mode.
2. Run:
cpopenssl req -new -out <CSR file> -keyout <private key file> -config
$CPDIR/conf/openssl.cnf
This command generates a private key. You see this output:
Generating a 2048 bit RSA private key
.+++
...+++
writing new private key to 'server1.key'
Enter PEM pass phrase:
3. Enter a password and confirm.
Fill in the data.
• The Common Name field is mandatory. This field must have the Fully Qualified Domain
Name (FQDN). This is the site that users access. For example: portal.example.com.
• All other fields are optional.
4. Send the CSR file to a trusted certificate authority. Make sure to request a Signed Certificate in
PEM format. Keep the .key private key file.

Identity Awareness Administration Guide R80.10 | 129

 Advanced Browser-Based Authentication Configuration

Generating the P12 File

After you get the Signed Certificate for the gateway from the CA, generate a P12 file that has the
Signed Certificate and the private key.
1. Get the Signed Certificate for the gateway from the CA.
If the signed certificate is in P12 or P7B format, convert these files to a PEM (Base64 encoded)
formatted file with a CRT extension.
2. Make sure that the CRT file has the full certificate chain up to a trusted root CA.
Usually you get the certificate chain from the signing CA. Sometimes it split into separate files.
If the signed certificate and the trust chain are in separate files, use a text editor to combine
them into one file. Make sure the server certificate is at the top of the CRT file.
3. From the gateway command line, log in to expert mode.
4. Use the *.crt file to install the certificate with the *.key file that you generated.
a) Run:
cpopenssl pkcs12 -export -out <output file> -in <signed cert chain file>
-inkey <private key file>
For example:
cpopenssl pkcs12 -export -out server1.p12 -in server1.crt -inkey
server1.key
b) Enter the certificate password when prompted.

Installing the Signed Certificate

To install the certificate:
1. Log in to SmartConsole.
2. From the left Navigation Toolbar, click Gateways & Servers.
3. Open the Identity Awareness Gateway object.
4. In the navigation tree, click the appropriate Software Blade page:
• Mobile Access > Portal Settings
• Platform Portal
• Data Loss Prevention
• Identity Awareness > Captive Portal > Settings > Access Settings
In the Certificate section, click Import or Replace.
5. Install the Access Policy on the gateway.
Note - The Repository of Certificates on the IPsec VPN page of the gateway object is only for
self-signed certificates. It does not affect the certificate installed manually using this
procedure.

Identity Awareness Administration Guide R80.10 | 130

 Advanced Browser-Based Authentication Configuration

Viewing the Certificate

To see the new certificate from a Web browser:
The Security Gateway uses the certificate when you connect with a browser to the portal. To see
the certificate when you connect to the portal, click the lock icon that is next to the address bar in
most browsers.
The certificate that users see depends on the actual IP address that they use to access the portal -
not only the IP address configured for the portal in SmartConsole.

To see the new certificate from SmartConsole:

From a page that contains the portal settings for that blade/feature, click View in the Certificate
section.

Identity Awareness Administration Guide R80.10 | 131

 Advanced Browser-Based Authentication Configuration

Transparent Kerberos Authentication Configuration

The Transparent Kerberos Authentication Single-Sign On (SSO) solution transparently
authenticates users already logged into AD. This means that a user authenticates to the domain
one time and has access to all authorized network resources without having to enter credentials
again. If Transparent Kerberos Authentication fails, the user is redirected to the Captive Portal for
manual authentication.
Note -The Endpoint Identity Agent download link and the Automatic Logout option are ignored
when Transparent Kerberos Authentication SSO is successful. The user does not see the Captive
Portal.

SSO in Windows domains works with the Kerberos authentication protocol.

The Kerberos protocol is based on the concept of tickets, encrypted data packets issued by a
trusted authority, Active Directory (AD). When a user logs in, the user authenticates to a domain
controller that gives an initial ticket granting ticket (TGT). This ticket vouches for the user's
identity.
In this solution, when an unidentified user is about to be redirected to the Captive Portal for
identification:
1. Captive Portal asks the browser for authentication.
2. The browser shows a Kerberos ticket to the Captive Portal.
3. Captive Portal sends the ticket to the gateway (the Identity Awareness Gateway).
4. The gateway decrypts the ticket, extracts the user's identity, and publishes it to all Security
Gateways with Identity Awareness.
5. The authorized and identified user is redirected to the originally requested URL.
6. If transparent automatic authentication fails (steps 2-5), the user is redirected to the Captive
Portal for identification.
Transparent Kerberos Authentication uses the GSS-API Negotiation Mechanism (SPNEGO)
internet standard to negotiate Kerberos. This mechanism works like the mechanism that Endpoint
Identity Agents use to present the Kerberos ticket ("How SSO Works" on page 138).
You can configure SSO Transparent Kerberos Authentication to work with HTTP and/or HTTPS
connections. HTTP connections work transparently with SSO Transparent Kerberos Authentication
at all times. HTTPS connections work transparently only if the Security Gateway has a signed
.p12 certificate. If the Security Gateway does not have a certificate, the user sees, and must
respond to, the certificate warning message before a connection is made.
For more about Kerberos SSO, we recommend the MIT Kerberos web site
http://web.mit.edu/Kerberos/ and the Microsoft TechNet Library
http://technet.microsoft.com/en-us/library/bb742433.aspx.

Identity Awareness Administration Guide R80.10 | 132

 Advanced Browser-Based Authentication Configuration

Configuration Overview
Transparent Kerberos Authentication SSO configuration includes these steps. They are described
in details in this section.
• AD configuration - Creating a user account and mapping it to a Kerberos principal name
• For HTTP connections: (HTTP/<captive portal full dns name>@DOMAIN)
• For HTTPS connections: (HTTPS/<captive portal full dns name>@DOMAIN)
• SmartConsole configuration:
• Creating an LDAP Account Unit and configuring it with SSO.
• Enabling Transparent Kerberos Authentication on the Identity Awareness Gateway.
• Endpoint client configuration - Configuring trusted sites in the browsers.
Where applicable, the procedures give instructions for both HTTP and HTTPS configuration.

Creating a New User Account

1. In Active Directory, open Active Directory Users and Computers (Start->Run->dsa.msc)
2. Add a new user account.
You can choose any username and password. For example: a user account named ckpsso
with the password qwe123!@# to the domain corp.acme.com.
3. Clear User must change password at next logon and select Password Never Expires.

Mapping the User Account to a Kerberos Principal Name

Run the setspn utility to create a Kerberos principal name, used by the Security Gateway and the
AD. A Kerberos principal name contains a service name (for the Security Gateway that browsers
connect to) and the domain name (to which the service belongs).
setspn is a command line utility that is available for Windows Server 2000 and higher.

Installing setspn.exe
Install the correct setspn.exe version on the AD server. The setspn.exe utility is not installed
by default in Windows 2003.

To get the correct executable:

On Windows 2003:
1. Get the correct executable for your service pack from the Microsoft Support site
http://support.microsoft.com/ before installation. It is part of the Windows 2003 support tools.
For example, AD 2003 SP2 requires support tools for 2003 SP2
http://www.microsoft.com/downloads/details.aspx?familyid=96A35011-FD83-419D-939B-9A77
2EA2DF90&displaylang=en.
2. Download the support.cab and suptools.msi files to a new folder on your AD server.
3. Run the suptools.msi.
If you use Active Directory with Windows Server 2008 and higher, the setspn utility is installed on
your server in the Windows\System32 folder. Run the command prompt as an Administrator.

Identity Awareness Administration Guide R80.10 | 133

 Advanced Browser-Based Authentication Configuration

Important - If you used the setspn utility before, with the same principal name, but with a
different account, you must delete the different account or remove the association to the principal
name.
To remove the association, run:
setspn -D HTTP/<captive_portal_full_dns_name> <old_account name>
If you do not do this, authentication will fail.

To use setspn:
1. Open the command line (Start > Run > cmd).
2. Run setspn with this syntax:
For HTTP connections:
> setspn -A HTTP/<captive_portal_full_dns_name> <username>
For HTTPS connections:
> setspn -A HTTPS/<captive_portal_full_dns_name> <username>
Important - Make sure that you enter the command exactly as shown. All parameters are case
sensitive.
Example:
> setspn -A HTTP/mycaptive.corp.acme.com ckpsso
The AD is ready to support Kerberos authentication for the Security Gateway.
To see users associated with the principle name, run: setspn -Q HTTP*/*

Configuring an Account Unit

If you already have an Account Unit from the Identity Awareness First Time Configuration Wizard,
use that unit. Do not do the first steps. Start with: "Click Active Directory SSO configuration and
configure the values".

To configure an Account Unit:

1. Add a new host to represent the AD domain controller: In SmartConsole, open the Object
Explorer (Ctrl+E) and click New > Host.
2. Enter a name and IP address for the AD object.
3. Click OK.
4. Add a new LDAP Account Unit:
In the Object Explorer, click New > Server > LDAP Account Unit.
5. In the General tab of the LDAP Account Unit:
a) Enter a name.
b) In Profile, select Microsoft_AD.
c) In Domain, enter the domain name.
Best Practice - Enter the domain for existing Account Units to use for Identity Awareness. If
you enter a domain, it does not affect existing LDAP Account Units.
d) Select CRL retrieval and User management.

Identity Awareness Administration Guide R80.10 | 134

 Advanced Browser-Based Authentication Configuration

6. Click Active Directory SSO configuration and configure the values:

a) Select Use Kerberos Single Sign On.
b) Enter the domain name.
c) Enter the account username you created in Creating a New User Account (on page 133).
d) Enter the account password for that user (the same password you configured for the
account username in AD) and confirm it.
e) Leave the default settings for Ticket encryption method.
f) Click OK.
7. In the Servers tab:
a) Click Add and enter the LDAP Server properties.
b) In Host, select the AD object you configured.
c) In Login DN, enter the login DN of a predefined user (added in the AD) used for LDAP
operations.
d) Enter the LDAP user password and confirm it.
e) In the Check Point Gateways are allowed to section, select Read data from this server.
f) In the Encryption tab, select Use Encryption (SSL). Fetch the fingerprint and click OK.
Note - LDAP over SSL is not supported by default. If you did not configure your domain
controller to support LDAP over SSL, configure it, or make sure Use Encryption (SSL) is
not selected.
8. In the Objects Management tab:
a) In Server to connect, select the AD object you configured.
b) Click Fetch Branches to configure the branches in use.
c) Set the number of entries supported.
9. In the Authentication tab, select Default authentication scheme > Check Point Password.
10. Click OK.

Enabling Transparent Kerberos Authentication

1. Log in to SmartConsole.
2. From the left Navigation Toolbar, click Gateways & Servers.
3. Open the Identity Awareness Gateway object.
4. In the left tree, go to the Identity Awareness page.
5. Click Browser-Based Authentication > Settings.
The Portal Settings window opens.
6. In the Authentication Settings section, click Edit.
7. Select Automatically authenticate users from machines in the domain.
The Main URL field contains the URL (with IP address or Hostname) that is used to begin the
SSO process. If transparent authentication fails, users are redirected to the configured Captive
Portal.
8. Click OK to close all windows.
9. Install the Access Policy.

Identity Awareness Administration Guide R80.10 | 135

 Advanced Browser-Based Authentication Configuration

Browser Configuration
To work with Transparent Kerberos Authentication, it is necessary to configure your browser to
trust Captive Portal URL. If the portal is working with HTTPS, you must also enter the URL in the
Local Internet field using HTTPS.

Internet Explorer
It is not necessary to add the Captive Portal URL to Trusted Sites.

To configure Internet Explorer for Transparent Kerberos Authentication:

1. Open Internet Explorer.
2. Go to Internet Tools > Options > Security > Local intranet > Sites > Advanced.
3. Enter the Captive Portal URL in the applicable and then click Add.

Google Chrome
If you have already configured Internet Explorer for Transparent Kerberos Authentication, that
configuration also works with Chrome. Use this procedure only if you did not configure Internet
Explorer for Transparent Kerberos Authentication.

To configure Google Chrome for Transparent Kerberos Authentication:

1. Open Chrome.
2. Click the menu (wrench) icon and select Settings.
3. Click Show advanced settings.
4. In the Network section, click Change Proxy Settings.
5. In the Internet Properties window, go to Security > Local intranet > Sites > Advanced.
6. Enter the Captive Portal URL in the applicable field.

Firefox
For Firefox, the Negotiate authentication option is disabled by default. To use Transparent
Kerberos Authentication, you must enable this option.

To configure Firefox for Transparent Kerberos Authentication:

1. Open Firefox.
2. In the URL bar, enter about:config
3. Search for the network.negotiate-auth.trusted-uris parameter.
4. Set the value to the DNS name of the Captive Portal Security Gateway. You can enter multiple
URLs by separating them with a comma.

Identity Awareness Administration Guide R80.10 | 136

CHAPTE R 10

Advanced Endpoint Identity Agents

Configuration
In This Section:
Customizing Parameters ...........................................................................................137
Advanced Endpoint Identity Agent Options ...............................................................138

Customizing Parameters
You can change settings for Endpoint Identity Agent parameters to control Endpoint Identity Agent
behavior. You can change some of the settings in SmartConsole and others using the Endpoint
Identity Agent Configuration tool ("Creating Custom Endpoint Identity Agents" on page 148).

To change Endpoint Identity Agents parameters in SmartConsole:

1. In SmartConsole, go to Menu > Global properties.
The Global Properties window opens.
2. In the left navigation tree, click Advanced > Configure.
3. Go to Identity Awareness > Agent.
4. Change the Endpoint Identity Agents parameters.
5. Click OK.
This is a sample list of parameters that you can change:

Parameter Description
nac_agent_disable_settings Whether users can right click the Endpoint
Identity Agent client (umbrella icon on their
desktops) and change settings.

nac_agent_email_for_sending_logs You can add a default email address, to which

to send client troubleshooting information.

nac_agent_disable_quit Whether users can right click the Endpoint

Identity Agent client (umbrella icon on their
desktops) and close the agent.

nac_agent_disable_tagging Whether to disable the packet tagging feature

that prevents IP Spoofing.

nac_agent_hide_client Whether to hide the client (the umbrella icon

does not show on users' desktops).

Identity Awareness Administration Guide R80.10 | 137

 Advanced Endpoint Identity Agents Configuration

Advanced Endpoint Identity Agent Options

Kerberos SSO Compliance
The Identity Awareness Single Sign-On (SSO) solution for Endpoint Identity Agents gives the ability
to authenticate users transparently that are logged in to the domain. This means that a user
authenticates to the domain one time and has access to all authorized network resources without
additional authentication.
Using Endpoint Identity Agents gives you:
• User and computer identity
• Minimal user intervention - The administrators do all the necessary configuration steps and
no user input is required user.
• Seamless connectivity - Transparent authentication when users are logged in to the domain. If
you do not want to use SSO, users enter their credentials manually. You can let them save
these credentials.
• Connectivity through roaming - Users stay automatically identified when they move between
networks, while the client detects the movement and reconnects.
• Added security - You can use the patented packet tagging technology to prevent IP Spoofing.
Endpoint Identity Agents also gives you strong (Kerberos based) user and computer
authentication.
You get SSO in Windows domains with the Kerberos authentication protocol. Kerberos is the
default authentication protocol used in Windows 2000 and above.
The Kerberos protocol is based on the idea of tickets, encrypted data packets issued by a trusted
authority, which in this case, is the Active Directory (AD). When a user logs in, the user
authenticates to a domain controller that provides an initial ticket granting ticket (TGT). This ticket
vouches for the user’s identity. When the user needs to authenticate against the Identity
Awareness Gateway, the Endpoint Identity Agent presents this ticket to the domain controller and
requests a service ticket (SR) for a specific resource (Security Gateway that Endpoint Identity
Agents connect to). The Endpoint Identity Agent then presents this service ticket to the Security
Gateway that grants access.

How SSO Works

This is the workflow for SSO (Single Sign On):
1. The user logs in to the computer and authenticates to the AD server.
2. The AD sends an initial ticket (TGT) to the computer.
3. The Endpoint Identity Agent connects to the Security Gateway, which then requests the
identity.
4. The Endpoint Identity Agent requests an SR (service ticket) for the Security Gateway and
presents the TGT to the AD server.
5. The AD server sends the SR to the computer.
The user name is encrypted with the shared secret between the Security Gateway and the AD
server.
6. The Endpoint Identity Agent sends the SR to the Security Gateway.

Identity Awareness Administration Guide R80.10 | 138

 Advanced Endpoint Identity Agents Configuration

7. The Security Gateway uses the shared secret to decrypt the ticket and confirms the user
identity.
8. The user can access the Data Center.

Item Description
1 Computer for the user

2 Active Directory Domain Controller server

3 Identity Awareness Gateway

4 Data Center servers

SSO Configuration
SSO configuration includes two steps:
• AD Configuration - Creating a user account and mapping it to a Kerberos principal name.
• SmartConsole Configuration - Creating an LDAP Account Unit and configuring it with SSO.

AD Configuration
To use Kerberos with AD, make a Kerberos principal name with the Check Point Security Gateway
service. Map this new account to the domain name.
Use the setspn.exe utility. Make sure you have the correct version ("Installing setspn.exe" on
page 133).
Important - If you used the setspn utility before, with the same principal name, but with a
different account, you must delete the different account, or remove the association to the principal
name.
To remove the association, run:
setspn -D ckp_pdp/<domain_full_dns_name> <old_account name>
If you do not do this, authentication will fail.

Identity Awareness Administration Guide R80.10 | 139

 Advanced Endpoint Identity Agents Configuration

To configure AD for Kerberos:

1. Make a new user account ("Creating a New User Account" on page 133).
2. Open the command line (Start > Run > cmd).
3. Run:
setspn -A ckp_pdp/<domain_full_dns_name> <username>
To see users associated with the principle name, run: setspn -Q ckp_pdp*/*
When done, configure an Account Unit ("Configuring an Account Unit" on page 134) in the
SmartConsole, to use this account.

Identity Awareness Administration Guide R80.10 | 140

 Advanced Endpoint Identity Agents Configuration

Server Discovery and Server Trust

Introduction
The Endpoint Identity Agent client needs to be connected to an Identity Awareness Gateway. For
this to happen, it must discover the server and trust it.

Server discovery refers to the process of deciding, to which server the client should connect. We
offer several methods for configuring server discovery – from a very basic method of simply
configuring one server to a method of deploying a domain wide policy of connecting to a server
based on your current location. This section describes these options.
Server trust refers to the process of validating that the server, to which the end user connects, is
indeed a genuine one. It also makes sure that communication between the client and the server
was not tampered with by a Man In The Middle (MITM) attack.
The trust process compares the server fingerprint calculated during the SSL handshake with the
expected fingerprint. If the client does not have the expected fingerprint configured, it will ask the
user to verify that it is correct manually. This section describes the methods that allow the
expected fingerprint to be known, without user intervention.

Identity Awareness Administration Guide R80.10 | 141

 Advanced Endpoint Identity Agents Configuration

Discovery and Trust Options

These are the options that the client has for discovering a server and creating trust with it:
• File name based server configuration – If no other method is configured (default,
out-of-the-box situation), any Endpoint Identity Agent downloaded from the portal will be
renamed to have the portal computer IP in it. During installation, the client uses this IP to
represent the Identity Awareness Gateway. Note that the user has to trust the server by
himself (the trust dialog box opens).
• AD based configuration – If client computers are members of an Active Directory domain, you
can deploy the server addresses and trust data using a dedicated tool.
• DNS SRV record based server discovery – It is possible to configure the server addresses in
the DNS server. Because the DNS is not secure, we recommend that you do not configure trust
this way. Users can authorize the server manually in a trust dialog box that opens. This is the
only server discovery method that is applicable for the MAC OS Endpoint Identity Agent.
• Remote registry – All client configuration, including the server addresses and trust data are in
the registry. You can deploy the values before installing the client (by GPO, or any other system
that lets you control the registry remotely). This lets you use the configuration from first run.
• Custom Endpoint Identity Agents – You can create a custom version of the Endpoint Identity
Agent installation package that includes the server IP and trust data.

Comparing Options
Requires Manual Multi- Client Allows Level Recommended
AD User Trust Site Remains Ongoing for...
Required? Signed? Changes
File name No Yes No Yes No Very Single Security
based Simple Gateway
deployments

AD based Yes No Yes Yes Yes Simple Deployments

with AD that
you can modify

DNS based No Yes Partially Yes Yes Simple Deployments

(per without AD or
DNS with an AD you
server) cannot modify,
but the DNS
can be changed

Remote No No Yes Yes Yes Moderate Where remote

registry registry is used
for other
purposes

Identity Awareness Administration Guide R80.10 | 142

 Advanced Endpoint Identity Agents Configuration

Requires Manual Multi- Client Allows Level Recommended

AD User Trust Site Remains Ongoing for...
Required? Signed? Changes
Pre- No No Yes No No Advanced When both DNS
packaging and AD cannot
be changed,
and there is
more than one
Security
Gateway

File Name Based Server Discovery

This option is the easiest to deploy, and works out-of-the-box if the Captive Portal is also the
Identity Awareness Gateway. If your deployment consists of one Identity Awareness Gateway, and
a Captive Portal is running on the same Security Gateway, and it is OK with you that the user needs
to verify the server fingerprint and trust it once, then you can use this option, which works with no
configuration.

How does it work?

When a user downloads the Endpoint Identity Agent client from the Captive Portal, the address of
the Identity Awareness Gateway is added to the file name. During the installation sequence, the
client checks if there is any other discovery method configured (Pre-packaged, AD based, DNS
based or local registry). If no method is configured, and the Identity Awareness Gateway can be
reached, the Endpoint Identity Agent will use it. You can make sure that this is the case by looking
at the Endpoint Identity Agent settings and seeing that the Identity Awareness Gateway that is
shown in the file name is present in the Endpoint Identity Agent dialog box.

Why can't we use this for trust data?

As the file name can be changed, we cannot be sure that the file name was not modified by an
attacker along the way. Therefore, we cannot trust data passed in the file name as authentic, and
we need to verify the trust data by another means.

AD Based Configuration
If your endpoint computers are members of an Active Directory domain, and you have
administrative access to this domain, you can use the Distributed Configuration tool to configure
connectivity and trust rules for the Endpoint Identity Agent.
This tool is installed a part of the Endpoint Identity Agent: go to the Start menu > All Programs >
Check Point > Identity Agent.
Note - You must have administrative access to this Active Directory domain.
The Distributed Configuration tool has three panes:
• Welcome - This pane describes the tool and lets you enter alternate credentials that are used
to access the AD.
• Server Configuration - This pane lets you configure, to which Identity Awareness Gateway the
Endpoint Identity Agent should connect, depending on the IPv4 / IPv6 address that is
configured on the endpoint computer, or its AD Site.
• Trusted Gateways - This pane lets you view and change the list of fingerprints of Identity
Awareness Gateways, which the Endpoint Identity Agent considers secure.

Identity Awareness Administration Guide R80.10 | 143

 Advanced Endpoint Identity Agents Configuration

Note - The complete configuration is written to Active Directory database - under the Program
Data branch in a hive named Check Point. This hive is added in the first run of the tool. Adding this
hive will not have any effect on other AD based applications or features.

Server Configuration Rules

The Endpoint Identity Agent fetches the configured rule lists from the Active Directory database.
Each time the Endpoint Identity Agent needs to connect to an Identity Awareness Gateway, it tries
to match itself against the rules, from top to bottom.
When the Endpoint Identity Agent matches a rule, it uses the Identity Awareness Gateways
configured in this rule, according to the priority specified.
For example:

This configuration means:

• If the user's computer is configured with the IPv4 address 192.168.0.1 / 24, then the
Endpoint Identity Agent needs to connect to the Identity Awareness Gateway "US-GW1".
If the gateway "US-GW1" is not available, then the Endpoint Identity Agent needs to connect to
the Identity Awareness Gateway "BAK-GS2" (it will be used only if gateway "US-GW1" is not
available, as its priority is higher).
• If the user connects from the Active Directory site "UK-SITE", then the Endpoint Identity Agent
needs to connect to either Identity Awareness Gateway "US-GW1", or Identity Awareness
Gateway "UK-GW2" (Endpoint Identity Agent will choose between these gateways randomly, as
they both have the same priority).
If both of these gateways are not available, then the Endpoint Identity Agent needs to connect
to the Identity Awareness Gateway "BAK-GS2".
• The default rule is that the Endpoint Identity Agent needs to connect to Identity Awareness
Gateway "BAK-GS2" (the default rule is always matched when it is encountered).

Identity Awareness Administration Guide R80.10 | 144

 Advanced Endpoint Identity Agents Configuration

Trusted Gateways
The Trusted Gateways pane shows the list of Identity Awareness Gateways considered trusted - no
pop-ups will open when the Endpoint Identity Agent tries to connect to these Identity Awareness
Gateways.
You can add, edit or delete a server. If you have connectivity to the Identity Awareness Gateway,
you can get the name and fingerprint by entering its address and clicking Fetch Fingerprint.
Otherwise, you should enter the same name and fingerprint that is shown when connecting to that
Identity Awareness Gateway.
For example:

DNS Based Configuration

If you configure the client to "Automatic Discovery" (the default), it looks for a server by
issuing a DNS SRV query for the address "CHECKPOINT_NAC_SERVER._tcp" (the DNS suffix is
added automatically). You can configure the address in your DNS server.
On the DNS server (Example is Windows 2003. For more information, see official Microsoft
documentation):
1. Go to Start > All Programs > Administrative Tools > DNS.
2. Go to Forward lookup zones and select the applicable domain.
3. Go to the _tcp subdomain.
4. Right-click and select Other new record.
5. Select Service Location, Create Record.
6. In the Service field, enter CHECKPOINT_NAC_SERVER.
7. Set the Port number to 443.
8. In Host offering this service, enter the address of the Identity Awareness Gateway.
9. Click OK.
Note - To define an Identity Awareness Load Sharing, make several SRV records with the same
priority. To define an Identity Awareness High Availability, make several SRV records with different
priorities.

Identity Awareness Administration Guide R80.10 | 145

 Advanced Endpoint Identity Agents Configuration

Note - If you configure AD based and DNS based configuration, the results are combined
according to the specified priority (from the lowest to highest).

Troubleshooting - See SRV Record Stored in the DNS Server

1. In Windows Command Prompt, run:
C:\> nslookup
2. Set query type to SERVER:
> set type=SRV
3. Query for the checkpoint_nac_server:
> checkpoint_nac_server._tcp
Example output:
Server: dns.company.com
Address: 192.168.0.17
checkpoint_nac_server._tcp.ad.company.com SRV service location:
priority = 0
weight = 0
port = 443
svr hostname = idserver.company.com
idserver.company.com internet address = 192.168.1.212
4. To exit, run:
> exit

Remote Registry
If you have another way to deploy registry entries to your client computers (such as Active
Directory GPO updates), you can deploy the Identity Awareness Gateway addresses and trust
parameters before you install the clients. Clients will use the already-deployed settings
immediately after installation.

To use the remote registry option:

1. Install the client on a computer. Make sure it is installed in the same mode that will be
installed on the other computers.
The full agent installs itself to your Program Files directory and saves its configuration to
HKEY_LOCAL_MACHINE.
The light Endpoint Identity Agent installs itself to the Users directory and saves its
configuration to HKEY_CURRENT_USER.
2. Connect manually to all of the servers that are configured, verify their fingerprints, and click
Trust in the fingerprint verification window.
3. In the client Settings window, configure it to connect to the requested servers.
If let the client choose a server based on location, click Advanced ("AD Based Configuration"
on page 143).

Identity Awareness Administration Guide R80.10 | 146

 Advanced Endpoint Identity Agents Configuration

4. Export these registry keys (from HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER, according

to the client type installed):
a) SOFTWARE\CheckPoint\IA\TrustedGateways (the whole tree)
b) SOFTWARE\CheckPoint\IA\ (on 32-bit), or
SOFTWARE\Wow6432Node\Checkpoint\IA (on 64-bit)
 DefaultGateway
 DefaultGatewayEnabled
 PredefinedPDPConnRBUsed
 PredefinedPDPConnectRuleBase
5. Deploy the exported keys to the workstations before you install the client on them.

Identity Awareness Administration Guide R80.10 | 147

 Advanced Endpoint Identity Agents Configuration

Creating Custom Endpoint Identity Agents

Custom Endpoint Identity Agents
You can use the Identity Awareness Configuration Utility to create custom Endpoint Identity Agent
installation packages (the Identity Awareness Configuration Utility - IAConfigTool.exe - is
installed as part of Endpoint Identity Agent). Endpoint Identity Agents have many advanced
configuration parameters. Some of these parameters are related to the installation process, while
others are related to Endpoint Identity Agent functionality. All of the configuration parameters
have default values that are deployed with the product and can remain unchanged.

Endpoint Identity Agent Type Description

Full Predefined Endpoint Identity Agent that includes packet tagging
and computer authentication. It applies to all users of the
computer, on which it is installed. Administrator permissions
are required to use the Full Endpoint Identity Agent type.

Light Predefined Endpoint Identity Agent that does not include packet
tagging and computer authentication. You can install this
Endpoint Identity Agent individually for each user on the target
computer. Administrator permissions are not required.

Terminal Servers Predefined Endpoint Identity Agent that installs Managed Asset
Detection (MAD) services and the Multi-user host driver on
Citrix and Terminal Servers. This Endpoint Identity Agent type
cannot be used for endpoint computers.

Custom Lets you configure custom features for all computers that use
this agent, such as MAD services and packet tagging.

Installing Microsoft .NET Framework

You must install Microsoft .NET Runtime framework 4.0 or higher
https://www.microsoft.com/net/download/windows before you install and run the Endpoint
Identity Agent Configuration Tool.
To install the .NET Runtime Framework v4.0:
1. Download the .NET v4.0 installation package
http://www.microsoft.com/en-us/download/details.aspx?id=17718.
2. When prompted to start the installation immediately, click Run.
3. Follow the instructions on the screen.

Working with the Endpoint Identity Agent Configuration Tool

Getting the source MSI File
To create a custom Endpoint Identity Agent installation package, you must first copy the
customizable MSI file from the Security Gateway to your management computer. This is the
computer, on which you use the Endpoint Identity Agent Configuration Tool.

Identity Awareness Administration Guide R80.10 | 148

 Advanced Endpoint Identity Agents Configuration

To get the customizable MSI file:

1. Copy this file from the Security Gateway running on Gaia to your management computer:
/opt/CPNacPortal/htdocs/nac/nacclients/customAgent.msi
2. Make a backup copy of this file on your management computer with a different name.
You must use the original copy of the MSI file when you work with the Endpoint Identity Agent
Configuration Tool.

Running the Endpoint Identity Agent Configuration Tool

You must install Endpoint Identity Agent v2.0 or above (from Security Gateway R77 or above) on
your management client computer. The Configuration Tool is installed in the Endpoint Identity
Agent installation directory.

To install the Endpoint Identity Agent on your client computer:

1. Copy these agents from the Security Gateway to your management computer:
• Full Endpoint Identity Agent:
/opt/CPNacPortal/htdocs/nac/nacclients/fullAgent.exe
• Light Endpoint Identity Agent:
/opt/CPNacPortal/htdocs/nac/nacclients/lightAgent.exe
2. Run one of these executable files as applicable for your environment.
3. Follow the instructions on the screen.

To run the Endpoint Identity Agent Configuration Tool:

1. Go to the Endpoint Identity Agent installation directory.
a) Click Start > All Programs > Check Point > Endpoint Identity Agent.
b) Right-click the Endpoint Identity Agent shortcut and select Properties from the menu.
c) Click Open File Location (Find Target in some Windows versions).
2. Double-click IAConfigTool.exe.
The Endpoint Identity Agent Configuration Tool opens.

Configuring the Endpoint Identity Agent

You configure all features and options in the Endpoint Identity Agent Configuration Tool window.

MSI Package Path

Enter or browse to the source installation package. You must use a Check Point customizable MSI
file as the source for the configuration tool.

Installation Type
Select whether the Endpoint Identity Agent applies to one user or to all users of the computer, on
which it is installed.
• Per-User - Install the Light Endpoint Identity Agent only for the user who does the installation.
Administrator permissions are not required for this installation.
• Per Computer - Install any Endpoint Identity Agent type for all users on the computer.
Administrator permissions are required for this installation type, even for the Light Endpoint
Identity Agent type.

Identity Awareness Administration Guide R80.10 | 149

 Advanced Endpoint Identity Agents Configuration

Installation UI
Select one of these end user interaction options:
• FULL (Default) - Interactive installation where the end user sees the full installation interface
and can select options.
• BASIC - Non-interactive installation where the end user only sees a progress bar and a Cancel
button.

Endpoint Identity Agent Type

Select the type of Endpoint Identity Agent to install:
• Full – Predefined Endpoint Identity Agent includes packet tagging and computer
authentication. It applies to all users of the computer that it is installed on. Administrator
permissions are required to use the Full Endpoint Identity Agent type.
• Light – Predefined Endpoint Identity Agent that does not include packet tagging and computer
authentication. You can install this Endpoint Identity Agent individually for each user on the
target computer. Administrator permissions are not required. You must select the
Per-Computer installation type for this agent type.
• Terminal Servers - Predefined Endpoint Identity Agent that installs MAD services and the
Multi-user host driver on Citrix and Terminal Servers. This Endpoint Identity Agent type cannot
be used for endpoint computers.
• Custom - Configure custom features for all computers that use this agent, such as MAD
services and packet tagging.

Custom Features
Select these features for the Custom Endpoint Identity Agent type:
• MAD Service - Install MAD (Managed Asset Detection) services for Kerberos SSO and
computer authentication.
• Packet Tagging - Install the packet tagging driver to enable anti-spoofing protection. The
driver signs every packet that is sent from the computer. This setting is required if you have
Firewall rules that use Access Roles and IP Spoofing is enabled.

Copy configuration
• Copy configuration from this computer - Copy Endpoint Identity Agent configuration settings
from this computer to other computers running a custom MSI file.

Save
Click to save this configuration to a custom MSI file. Enter a name for the MSI file.

Deploying a Custom Endpoint Identity Agent with the Captive Portal

To deploy a custom Endpoint Identity Agent with the Captive Portal:
1. Upload the custom customAgent.msi package to the
/opt/CPNacPortal/htdocs/nacclients/ directory on the Security Gateway.

Identity Awareness Administration Guide R80.10 | 150

 Advanced Endpoint Identity Agents Configuration

2. Configure the Captive Portal to distribute the custom Endpoint Identity Agent:
a) In SmartConsole, open the Identity Awareness Gateway object.
b) Go to the Identity Awareness pane.
c) Click on the Browser-Based Authentication Settings button.
d) Change the Require users to download value to Identity Agent - Custom.
e) Click OK.
3. Install the Access Policy.

Identity Awareness Administration Guide R80.10 | 151

CHAPTE R 11

Identity Awareness Commands

In This Section:
Introduction ...............................................................................................................152
adlog ............................................................................................................................153
pdp ...............................................................................................................................157
pep ...............................................................................................................................167
test_ad_connectivity ...................................................................................................172

Introduction
These terms are used in the CLI commands:
• PDP - Identity Awareness Policy Decision Point - Identity Awareness gateway, which is
responsible for collecting and sharing identities.
• PEP - Identity Awareness Policy Enforcement Point - Identity Awareness gateway, which is
responsible for enforcing network access restrictions. Decisions are made according to
identity data collected from the PDP.
• ADLOG - The module responsible for the acquisition of identities of entities (users or
computers) from the Active Directory. adlog runs on an Identity Awareness Gateway that was
enabled with AD Query, or on a Log Server.
When it runs on an Identity Awareness Gateway, the AD Query serves the Identity Awareness
Software Blade, which enforces the policy and logs identities.
When adlog runs on a Log Server, adlog logs identities.
The PEP and PDP processes are key components of the system. Through them, administrators
control user access and network protection.
The adlog is the command line process used to control and monitor the ADLOG feature. The
command line tool helps control users' statuses, as well as troubleshoot and monitor the system.

Identity Awareness Administration Guide R80.10 | 152

 Identity Awareness Commands

adlog
Description Provides commands to control and monitor the AD Query process.
When adlog runs on a Security Gateway, AD Query serves the Identity
Awareness Software Blade, which enforces policy and logs identities. In this
case the command line is:
adlog a <parameter> (see below for options).
When adlog runs on a Log Server, adlog logs identities.
In this case, the command line is: adlog l <parameter> (see below for
options).
Note - The l in adlog l is lowercase. Parameters for adlog a and adlog l
are identical.

Syntax adlog {a | l} <parameter>

Parameter Description
<none> Displays available options for this command and exits.

a | l Sets the working mode:

adlog a - If you are using AD Query for Identity Awareness.
adlog l - If you are using a Log Server (Identity Logging).

query See the corresponding section below.

debug See the corresponding section below.

dc See the corresponding section below.

statistics See the corresponding section below.

control See the corresponding sections below.

adlog query
Description Shows the database of identities acquired by AD Query, according to the given
filter.

Syntax adlog {a | l} query <parameter>

Parameter Description
ip <IP address> Filters identities relating to the given IP address.

Identity Awareness Administration Guide R80.10 | 153

 Identity Awareness Commands

Parameter Description
string <string> Filters identity mappings according to the given string.

user <user name> Filters identity mappings according to a specific user.

machine <computer Filters identity mappings according to a specific computer.

name>

all No filtering, shows the entire identity database.

Example:
adlog a query user jo
Shows the entry that contains the string "jo" in the user name.

adlog debug
Description Enables / Disables the adlog debug output.
For Identity Awareness on a Security Gateway, the output debug file is:
$FWDIR/log/pdpd.elg
For Identity Logging on a Log Server, the output debug file is:
$FWDIR/log/fwd.elg

Syntax adlog {a | l} debug <parameter>

Parameter Description
on Turns on debug.

off Turns off debug.

mode Shows debug status (on, or off).

extended Turns on debug and adds extended debug topics.

adlog dc
Description Shows the status of connection to the AD domain controller.

Syntax adlog {a | l} dc

adlog statistics
Description Displays statistics regarding NT Event logs received by adlog, per IP address
and by total. It also shows the number of identified IP addresses.

Syntax adlog {a | l} statistics

Identity Awareness Administration Guide R80.10 | 154

 Identity Awareness Commands

adlog control
Description Sends control commands to AD Query.

Syntax adlog {a | l} control <parameter>

Parameter Description
stop Stops AD Query. New identities are not acquired via AD Query.

reconf Sends a reconfiguration command to AD Query.

It resets the policy configuration as it was set in SmartConsole.

muh <option> Manages the list of Multi-User Hosts:

• mark - Adds an IP address as a Multi-User Host
• unmark - Remove an IP address from the list of Multi-User
Hosts
• show - Shows all known Multi-User Hosts
srv_accounts <option> Manages service accounts. Service accounts are accounts that do
not belong to actual users, rather they belong to services running
on a computer. They are suspected as such, if they are logged in
more than a certain number of times.
• show - Show all known service accounts
• find - Manually updates the list of service accounts
• unmark - Remove an account name from the list of service
accounts
• clear - Clears all the accounts from the list of service
accounts

adlog control muh

Description Manages the list of Multi-User Hosts.
Usage adlog {a|l} control muh <parameter>

Syntax
Parameter Description
mark Adds an IP address as a Multi-User Host

unmark Remove an IP address from the list of Multi-User Hosts

show Show all known Multi-User Hosts

Identity Awareness Administration Guide R80.10 | 155

 Identity Awareness Commands

adlog control srv_accounts

Description Manages service accounts. Service accounts are accounts that don’t belong to
actual users, rather they belong to services running on a computer. They are suspected as such if
they are logged in more than a certain number of times.
Usage adlog {a|l} control srv_accounts <parameter>

Syntax
Parameter Description
show Show all known service accounts

find Manually updates the list of service accounts

unmark Remove an account name from the list of service accounts

clear Clears all the accounts from the list of service accounts

Identity Awareness Administration Guide R80.10 | 156

 Identity Awareness Commands

pdp
Description These commands control and monitor the pdpd process (see below for
options).

Syntax pdp <command> <option>

Command Description
<none> Shows available options for this command and exits.

status Shows PDP status information, such as start time or configuration time.

monitor Monitors the status of connected PDP sessions.

connections Shows PDP connections with PEP gateways, Terminal Servers, and
Identity Collectors.

network Shows information about network related features

update Recalculates users and computers group membership.

ad For AD Query, adds (or removes) an identity to the Identity Awareness

database on the Security Gateway.

timers Shows PDP timers information for each session.

nested_groups Shows LDAP Nested groups configuration ("Nested Groups " on page
112).

auth Shows authentication or authorization options.

vpn show Shows connected VPN gateways that send VPN Remote Access Client
identity data.

radius Shows and configures the RADIUS accounting options ("Configuring

RADIUS Accounting" on page 63).

idc Operations related to Identity Collector ("Identity Collector Optimization"

on page 77).

tasks_manager Shows the status of the PDP tasks.

control Controls and sets PDP parameters.

debug Enables and disables the PDP debug.

tracker Adds the TRACKER topic to the PDP logs.

Identity Awareness Administration Guide R80.10 | 157

 Identity Awareness Commands

pdp status
Description Shows PDP status information, such as start time or configuration time.

Syntax pdp status <parameter>

Parameter Description
show Shows PDP information.

pdp monitor
Description Monitors the status of connected PDP sessions.
You can run different queries with the commands
below to get the output, in which you are interested.
Syntax pdp monitor <parameter> <option>

Parameter and option Description

all Shows information for all connected sessions.

user <user name> Shows session information for the given user name.

ip <IP address> Shows session information for the given IP address.

machine <computer name> Shows session information for the given computer name.

mad Shows all sessions that relate to a managed asset. For

example, all sessions that successfully performed
computer authentication.

client_type {unknown | Shows all sessions that connect through the given client
portal | "Identity Agent" | type:
"AD Query"}
Possible client types are:
• unknown - User was identified by an unknown source.
• portal - User was identified by the Captive Portal.
• "Identity Agent" - User/computer was identified by
an Identity Awareness Agent.
• "AD Query" - User was identified by AD Query.
groups <group name> Shows all sessions of users / computers that are members
of the given group name.

cv_ge <version> Shows all sessions that are connected with a client version
that is higher than (or equal to) the given version.

cv_le <version> Shows all sessions that are connected via a client version
that is lower than (or equal to) the given version.

Identity Awareness Administration Guide R80.10 | 158

 Identity Awareness Commands

Parameter and option Description

s_port Shows sessions filtered by assigned source port (MUH
sessions only).

network Shows sessions filtered by a network wild card. For

example: 192.168.72.*

user_exact Shows sessions filtered by the exact user.

machine_exact Shows sessions filtered by the exact machine name.

Example
pdp monitor ip 192.0.2.1
Shows the connected user behind the given IP address (192.0.2.1).
Note - The last field "Published " indicates whether the session information was already published
to the Gateway PEPs, whose IP addresses are listed.

pdp connections
Description Shows PDP connections with PEP gateways, Terminal Servers, and Identity
Collectors.

Syntax pdp connections <parameter>

Parameter Description
pep Shows the connection status of all the PEPs that should be updated by
the current PDP.

ts Shows a list of Terminal Servers that are connected.

idc Shows a list of connected Identity Collectors.

pdp network
Description Shows information about network related features.

Syntax pdp network <parameter>

Parameter Description
info Shows a list of networks known by the PDP.

registered Shows the mapping of a network address to registered gateways (PEP

module).

Identity Awareness Administration Guide R80.10 | 159

 Identity Awareness Commands

pdp update
Description Initiates a recalculation of group membership for all users and computers.
Note - Deleted accounts are not updated.

Syntax pdp update <parameter>

Parameter Description
all Recalculates group membership for all users and computers.

specific Recalculates group membership for a specified user or a computer.

pdp nested_groups
Description Defines and shows LDAP Nested groups configuration ("Nested Groups " on
page 112).

Syntax pdp nested_groups <parameter>

Parameter Description
status Shows configuration status of nested groups.

enable Enables nested groups.

disable Disables nested groups.

depth Sets nested groups depth (between 1 and 40).

__set_state {1 | 2 Sets nested groups state:

| 3}
• 1 - recursive (like R.77x)
• 2 - per-user
• 3 - multi per-group
show Shows a list of users, for which depth was not enough.

clear Clears the list of users, for which depth was not enough.

pdp ad
Description For AD Query, adds (or removes) an identity to the Identity Awareness
database.

Syntax pdp ad <parameter>

Identity Awareness Administration Guide R80.10 | 160

 Identity Awareness Commands

Parameter Description
associate <option> For AD Query, adds an identity to the Identity Awareness database
on the Security Gateway.

disassociate <option> For AD Query, removes the identity from the Identity Awareness
database on the Security Gateway.

pdp ad associate
Description For AD Query, adds an identity to the Identity Awareness database on the
Security Gateway. The group data must be in the AD.

Syntax pdp ad associate ip <ip> u <username> d <domain> [m <machine>]

[t <timeout>] [s]

Options Description
ip <ip> IP address for the identity.

u <username> Username for the identity.

m <machine> Computer that is defined for the identity.

d <domain> Domain of the ID server.

t <timeout> Timeout setting for the AD Query (default is 5 hours).

s Associates u <username> and m <machine> parameters sequentially.

First, the <machine> is added to the database and then the
<username>.

pdp ad disassociate
Description For AD Query, removes the identity from the Identity Awareness database on
the Security Gateway. Identity Awareness does not authenticate a user that is
removed.

Syntax pdp ad disassociate ip <ip> {u <username>|m <machine>} [r

{probed|override|timeout}]

Options Description
ip <ip> IP address for the identity.

u <username> Username for the identity.

m <machine> Computer that is defined for the identity.

Identity Awareness Administration Guide R80.10 | 161

 Identity Awareness Commands

Options Description
t <timeout> Timeout setting for the AD Query (default is 5 hours).

r {probed | override Reason that is shown in the Logs & Monitor > Logs tab.
| timeout}

pdp auth
Description Configures authentication/authorization options for PDP.

Syntax pdp auth <parameter> <option>

Parameter Description
force_domain <option> Configures PDP to match the identity's source based on the
reported domain and authorization domain.

kerberos_encryption Configures the Kerberos encryption type.

<option>

pdp auth force_domain

Description Forces the PDP to match the identity's source based on the reported domain
and authorization domain.

Syntax pdp auth force_domain <option>

Option Description
stat Shows the current status.

enable Enables the domain matching.

disable Disables the domain matching.

pdp auth kerberos_encryption

Description Configures the Kerberos encryption type (in SmartConsole, go to Objects
menu > Object Explorer > Servers > open the LDAP Account Unit object > go
to General tab > click Active Directory SSO Configuration).

Syntax pdp auth kerberos_encryption <option>

Option Description
get Shows the current Kerberos encryption status.

Identity Awareness Administration Guide R80.10 | 162

 Identity Awareness Commands

Option Description
set {policy | Sets the Kerberos encryption type.
aes128-cts-hmac-sha1-96 |
aes256-cts-hmac-sha1-96}

pdp radius
Description Shows and configures the RADIUS accounting options ("Configuring RADIUS
Accounting" on page 63).

Syntax pdp radius <parameter> <options>

Parameter Description
status Shows the current status.

ip {set <options> | Configures the secondary IP options.

reset}
Secondary IP index options:
<attribute index> [-a <vendor specific attribute index>]
[-c <vendor code>]

parser {set Configures the parsing options.

<options> | reset}
Parsing options for attributes:
<attribute index> [-c <vendor code> -a <vendor specific
attribute index>] -p <prefix> -s <suffix>

groups {set Configures the user groups options.

<options> | fetch
{on|off} | reset} Group index options:
-u
-m <attribute index> [-a <vendor specific attribute
index>] [-c <vendor code>] [-d <delimiter]

roles {set Configures how to obtain roles from RADIUS messages.

<options> | fetch
{on|off} | reset} Roles index options:
-u
-m <attribute index> [-a <vendor specific attribute
index>] [-c <vendor code>] [-d <delimiter]

pdp timers
Description Shows PDP timers information for each PDP session.

Syntax pdp timers <option>

Identity Awareness Administration Guide R80.10 | 163

 Identity Awareness Commands

Option Description
show Shows PDP timers information for each PDP session:
• User Auth Timer
• Machine Auth Timer
• Pep Cache Timer
• Compliance Timer
• Keep Alive Timer
• Ldap Fetch Timer

pdp idc
Description Operations related to Identity Collector ("Identity Collector Optimization" on page
77).
Syntax # pdp idc <option>

Option Description
service_accounts Shows the suspected service accounts.

muh {show | mark | Shows and configures the Multi User Host detection.
unmark}

groups_consolidat Shows and configures the consolidation of external groups with fetched
ion {status | groups.
enable | disable}

pdp tasks_manager
Description Shows the status of the PDP tasks (current running, previous, and pending
tasks).

Syntax pdp tasks_manager status

pdp control
Description Provides commands to control the PDP.

Syntax pdp control <parameter> <option>

Parameter and option Description

revoke_ip <IP address> Logs out the session that is related to the given IP address.

Identity Awareness Administration Guide R80.10 | 164

 Identity Awareness Commands

Parameter and option Description

sync Forces an initiated synchronization operation between the PDPs
and the PEPs. When you run this command, the PDP informs its
related PEPs of the up-to-date information of all connected
sessions. At the end of this operation, the PDP and the PEPs
contain the same and latest session information.

pdp debug
Description Enables and disables the debug of the PDP.

Syntax pdp debug <parameter> <option>

Parameter and option Description

on Enables the PDP debug (should be followed by the command "pdp
debug set ..." to determine the required filter).

off Disables the PDP debug.

set <topic_name> Filters the PDP debug logs that would be written to the debug file
<severity> according to the given topic and severity.
Available topics are:
• all
• when needed, more specific topics will be sent by Check Point
Support
Available severities are:
• all
• critical
• surprise
• important
• events
Best Practice - We recommend to run:
pdp debug set all all

unset <topic_name> Unsets a specific topic or topics.

stat Shows the PDP debug status.

reset Resets the PDP debug options of severity and topic. The debug is still
activated after running this command.
Must be followed by the command "pdp debug off" to turn off the
debug.

Identity Awareness Administration Guide R80.10 | 165

 Identity Awareness Commands

Parameter and option Description

rotate Rotates the PDP log files (increase the index of each log file):
$FWDIR/log/pdpd.elg becomes $FWDIR/log/pdpd.elg.0,
$FWDIR/log/pdpd.elg.0 becomes $FWDIR/log/pdpd.elg.1,
and so on.

memory Shows the memory consumption by the pdpd daemon.

spaces [0 | 1 | 2 | 3 Shows and sets the number of indentation spaces in the

| 4 | 5] $FWDIR/log/pdpd.elg file. The default is 0.

ip_map raw Shows IP address mapping debug information.

ccc {on | off} Enables / disables the writing of the CCC debug logs into the PDP log
file $FWDIR/log/pdpd.elg.

async1 Tests async command line using the echo command for 30
seconds.

Important - Activating the debug logs affects the performance of the daemon. Make
sure to turn off the debug after you complete troubleshooting.

Identity Awareness Administration Guide R80.10 | 166

 Identity Awareness Commands

pep
Description Provides commands to control and monitor the PEPD process (see below for
options).

Syntax pep <command>

Command Description
show Shows PEP information.

control Controls and sets PEP parameters.

debug Enables and disables the PEP debug.

tracker During the PEP debug, adds the TRACKER debug topic to the PEP logs.

pep show
Description Shows information about PEP.

Syntax pep show <parameter> <option>

Parameter Description
stat Shows the last time the pepd daemon was started and the last time a
policy was received.

user <option> Shows the status of sessions that are known to the PEP. You can
perform various queries according to the usage below to get the output
you are interested in.

pdp <option> Shows the communication channel between the PEP and the PDP.

network <option> Shows network related information.

pep show user

Description Shows the status of sessions that are known to the PEP. You can perform
various queries according to the usage below to get the output, in which you
are interested.

Syntax pep show user all

Identity Awareness Administration Guide R80.10 | 167

 Identity Awareness Commands

Parameter Description
all Shows all sessions with information summary.

Query Syntax pep show user query <parameter>

Parameter Description
usr <username> Shows session information for the given user name.

mchn <computer name> Shows session information for the given computer name.

cid <IP> Shows session information for the given IP.

uid <uidString> Shows session information for the given session ID.

pdp <IP> Shows all session information that was published from the given
PDP IP.

ugrp <group> Shows all sessions of users that are members of the given user
group name.

mgrp <group> Shows all sessions of computers that are members of the given
computer group name.

Note - You can use multiple query tokens (parameters) at once to create a logical AND correlation
between them.
For example, to display all users that have a sub string of "jo" AND are part of the user group
"Employees" you can use:
# pep show user query usr jo ugrp Employees

pep show pdp

Description Shows the communication channel between the PEP and the PDP. The output
shows the connect time and the number of users that were shared through the
connection.

Syntax pep show pdp <parameter>

Parameter Description
all Shows all the PDPs that are connected to the current PEP with the
relevant information.

id <IP> Shows connection information for the given PDP IP address.

Identity Awareness Administration Guide R80.10 | 168

 Identity Awareness Commands

pep show stat

Description Shows the last time the pepd daemon was started and the last time a policy
was received.
Important - Each time the pepd daemon starts, it loads the policy and the two
timers. The times when the daemon started and fetched the policy, will be very
close.

Syntax pep show stat

pep show network

Description Shows network related information.

Syntax pep show network <parameter>

Parameter Description
pdp Shows information about mapping between the network and PDPs.

registration Shows to which networks this PEP is registered.

pep show
Description Provides commands to control the PEP
Syntax # pep control <parameter> <option>

Parameter Description
portal_dual_stac Enables / Disables support for portal dual stack (IPv4 and IPv6).
k {enable |
disable}

extended_info_st Enables / Disables the storing of extended identities information by PEP

orage {enable | for debugging.
disable}

tasks_manager Shows the status of the PEP tasks (current running, previous, and
status pending tasks).

pep debug
Description Enables and disables the debug of the PEP.

Syntax pep debug <parameter> <option>

Identity Awareness Administration Guide R80.10 | 169

 Identity Awareness Commands

Parameter and option Description

on Enables the PEP debug (should be followed by the command "pep
debug set ..." to determine the required filter).

off Disables the PEP debug.

set <topic_name> Filters the PEP debug logs that would be written to the debug file
<severity> according to the given topic and severity.
Available topics are:
• all
• when needed, more specific topics will be sent by Check Point
Support
Available severities are:
• all
• critical
• surprise
• important
• events
Best Practice - We recommend to run:
pep debug set all all

unset <topic_name> Unsets a specific topic or topics.

stat Shows the PEP debug status.

reset Resets the PEP debug options of severity and topic.

The debug is still activated after running this command.
Must be followed by the command "pep debug off" to turn off the
debug.

rotate Rotates the PEP log files (increase the index of each log file):
$FWDIR/log/pepd.elg becomes $FWDIR/log/pepd.elg.0,
$FWDIR/log/pepd.elg.0 becomes $FWDIR/log/pepd.elg.1,
and so on.

memory Displays the memory consumption by the pepd daemon.

spaces [0 | 1 | 2 | 3 Displays and sets the number of indentation spaces in the

| 4 | 5] $FWDIR/log/pepd.elg file. The default is 0.

ip_map raw Displays IP address mapping debug information.

Important - Activating the debug logs affects the performance of the daemon. Make
sure to turn off the debug after you complete troubleshooting.

Identity Awareness Administration Guide R80.10 | 170

 Identity Awareness Commands

pep tracker
Description During the PEP debug, adds the TRACKER debug topic to the PEP logs
(enabled by default). This is very useful when monitoring the PDP-to-PEP
identity sharing and other communication in distributed environments. This
can be set manually by adding the TRACKER topic to the PEP debug.

Syntax pep tracker <parameter>

Parameter Description
on Enables the logging of TRACKER events in the PEP log.

off Disables the logging of TRACKER events in the PEP log.

Identity Awareness Administration Guide R80.10 | 171

 Identity Awareness Commands

test_ad_connectivity
Description Runs connectivity tests from the Security Gateway to an AD domain controller.

Syntax $FWDIR/bin/test_ad_connectivity <parameter_1 value_1>

<parameter value_2> ... <parameter_n value_n> ...<parameters and
options>

Parameters can be set in the command line as specified below, or set in a text file
$FWDIR/conf/test_ad_connectivity.conf file. Parameters set in this file are overridden
by the parameters provided on the command line.

Important - Parameters set in the $FWDIR/conf/test_ad_connectivity.conf

file cannot contain whitespaces and cannot be within quotation marks.

Output of the utility is saved in a file (not displayed on the screen). The path of the file is specified
by the –o parameter (see below).

Parameter Mandatory? Description

-d <domain name> Mandatory Domain name of the AD. For example
ad.mycompany.com

-i <DC IP address> Mandatory IP address of the domain controller that is

being tested.

-u <user name> Mandatory Administrator user name on the AD.

-o <filename> Mandatory Output filename that will be saved in the

$FWDIR/tmp/ directory.
For example, if you specify -o myfile, the
output will be saved in
$FWDIR/tmp/myfile

-c <password in clear Either this parameter, User's password in clear text.

text> or "-a" parameter
should be specified

-a Either this parameter, For entering password on the screen.

or "-c" parameter
should be specified

-t <timeout> Mandatory Total timeout in milliseconds.

-D <user DN> Optional Use this for LDAP user DN override (the
utility will not try to figure out the DN
automatically).

-l Optional Run LDAP connectivity test only (no WMI

test).

Identity Awareness Administration Guide R80.10 | 172

 Identity Awareness Commands

Parameter Mandatory? Description

-w Optional Run WMI connectivity test only (no LDAP
test).

-s Optional SSL Parameters file path.

-L Optional Timeout for the LDAP test only.

If this timeout expires, and the LDAP test
still runs, then both tests fail.

-h Optional Show built-in help.

Identity Awareness Administration Guide R80.10 | 173

CHAPTE R 12

References
For more about Kerberos SSO, see:
• http://web.mit.edu/Kerberos/
• http://technet.microsoft.com/en-us/library/bb742433.aspx

Identity Awareness Administration Guide R80.10 | 174

CHAPTE R 13

Appendix: Regular Expressions

In This Section:
Regular Expression Syntax ........................................................................................175
Using Non-Printable Characters ...............................................................................176
Using Character Types ...............................................................................................176

Regular Expression Syntax

This table shows the Check Point implementation of standard regular expression metacharacters.

Metacharacter Name Description

\ Backslash escape metacharacters
non-printable characters
character types

[] Square Brackets character class definition

() Parenthesis sub-pattern, to use metacharacters on the enclosed string

{min[,max]} Curly Brackets min/max quantifier

{n} - exactly n occurrences
{n,m} - from n to m occurrences
{n,} - at least n occurrences

. Dot match any character

? Question Mark zero or one occurrences (equals {0,1})

* Asterisk zero or more occurrences of preceding character

+ Plus Sign one or more occurrences (equals {1,})

| Vertical Bar alternative

^ Circumflex anchor pattern to beginning of buffer (usually a word)

$ Dollar anchor pattern to end of buffer (usually a word)

- hyphen range in character class

Identity Awareness Administration Guide R80.10 | 175

 Appendix: Regular Expressions

Using Non-Printable Characters

To use non-printable characters in patterns, escape the reserved character set.

Character Description
\a alarm; the BEL character (hex code 07)

\cX "control-X", where X is any character

\e escape (hex code 1B)

\f formfeed (hex code 0C)

\n newline (hex code 0A)

\r carriage return (hex code 0D)

\t tab (hex code 09)

\ddd character with octal code ddd

\xhh character with hex code hh

Using Character Types

To specify types of characters in patterns, escape the reserved character.

Character Description
\d any decimal digit [0-9]

\D any character that is not a decimal digit

\s any whitespace character

\S any character that is not whitespace

\w any word character (underscore or alphanumeric character)

\W any non-word character (not underscore or alphanumeric)

Identity Awareness Administration Guide R80.10 | 176