IDENTITY AWARENESS

R80 Training

Updated Nov. 5, 2020 ©2020 Check Point Software Technologies Ltd. 1

Creating security policy based upon users is possible using
Check Point integrations with 3rd party user stores like
Microsoft Windows Active Directory.

In this lab we’ll connect the R80 management server to an

Active Directory server and use this information in the
policy.

©2020 Check Point Software Technologies Ltd. 2

 Identity Awareness Lab
Enable Identity Awareness

Enable Identity Awareness on the Security

Gateway.
 From SmartConsole, edit the Security Gateway
object.
 In the Network Security tab, verify that Firewall
option is selected.
 Select the Identity Awareness blade option.
 This launches the Identity Awareness
configuration wizard.

©2020 Check Point Software Technologies Ltd. 3

Identity Awareness Lab
Enable Identity Awareness
 In the Wizard, enable both AD query and Browser-Based
Authentication click Next.

©2020 Check Point Software Technologies Ltd. 4

Identity Awareness Lab
Enable Identity Awareness

 If these fields are not already

populated then create a new
domain “ir.local”, with
credentials “Administrator”, and
“Cpwins1!” to domain server
192.168.102.102.
 Click Connect.

Note: this works best when launching SmartConsole on a host that is in the domain of the Directory Controller.

©2020 Check Point Software Technologies Ltd. 5

Identity Awareness Lab
Enable Identity Awareness
 Notice the default is set to access  Identity Awareness is Now Active!
the portal only through internal appears.
interfaces.  Click Finish. Click OK.
 Click Next.
 Install the policy.

©2020 Check Point Software Technologies Ltd. 6

Identity Awareness Lab
Enable Identity Awareness
 Edit the Gateway object. Click on Identity Awareness branch and check the settings for
Browser Based Authentication (aka Captive Portal) and Active Directory Query.
Notice the other identity sources.

 Identity Agents – Lightweight agent installed on

user’s computers.

 Terminal Servers – agent for terminal servers.

 RADIUS Accounting – identity from RADIUS

accounting requests.

 Identity Collector – remote collector that

supports AD and Cisco ISE/pxGd.

 Identity Web API – add, delete, show users via an

API.

 Remote Access - for IPSEC VPN users.

 Click Cancel to exit the Gateway object.

©2020 Check Point Software Technologies Ltd. 7
Identity Awareness Lab
Enable Identity Awareness
 In the SmartConsole objects pane (upper right), select
Servers -> LDAP Account Unit -> ir.local_AD.
 Verify that the LDAP account unit, lab.test_AD, was
created.
 Active Directory Query should be enabled.
 Click cancel to exit.

Note: LDAP Account Units define the profile used to communicate with external LDAP
user directories like Active Directory. This object also contains the credentials and other
settings needed to communicate with the LDAP store. To simplify the configuration this
object is set up when the IA Configuration Wizard runs.

©2020 Check Point Software Technologies Ltd. 8

Identity Awareness Lab
Test Identity Awareness

 Close SmartConsole.
 Exit fullscreen if needed and sign off from
Win-Victim.
 Open another MobaXterm session to Win-
Victim.
 After logging back in, browse to any site.
 Launch SmartConsole and verify the logs
include the user.
 If you like use Identity Awareness Blade
query to see more details.

©2020 Check Point Software Technologies Ltd. 9

Identity Awareness Lab
Test Identity Awareness
 Captive Portal Scenario: This is a simple method to authenticate users with a web interface. When
users try to access a protected resource, they enter authentication information in a form that
shows in their browser.
 In rules with access roles, you can add a property in the Action field to redirect traffic to the
Captive Portal. If this property is added, when the source identity is unknown and traffic is HTTP,
the user is redirected to the Captive Portal. If the source identity is known, the Action in the rule
(Allow or Block) is enforced immediately and the user is not sent to the Captive Portal.

©2020 Check Point Software Technologies Ltd. 10

Identity Awareness Lab
Test Identity Awareness
 Open the firewall rulebase and right click the Action field for Rule 5.
 Select More.

 Enable Identity Captive Portal.

 Click OK.

©2020 Check Point Software Technologies Ltd. 11

Identity Awareness Lab
Test Identity Awareness

• In the Source column right click and remove the

Net_192.168.101.0 object.
• Click + to open the picker.
• Click new and select Access Role.

New

©2020 Check Point Software Technologies Ltd. 12

Identity Awareness Lab
Test Identity Awareness

 Name the Access Role known-

internal-net-users.

 In the network tab select

specific networks:
Net_192.168.101.0

 In the Users and Machines tab

select Any.

©2020 Check Point Software Technologies Ltd. 13

Identity Awareness Lab
Test Identity Awareness
 Before exiting, click on Users.

 Click Specific users/groups and click +.

 Notice that you can toggle the icons in the upper right to show just users.

 We could create a specific role, but for this lab select Any User and click OK.

©2020 Check Point Software Technologies Ltd. 14

Identity Awareness Lab
Test Identity Awareness
 The Internet Access section should now look like the below, Critical Risk
applications and sites in the new rule 4 and redirecting web traffic to the
captive portal in rule 5.
 Install the policy.

©2020 Check Point Software Technologies Ltd. 15

Identity Awareness Lab
Test Identity Awareness
Test Captive Portal to verify the
configuration.
 Log in to the Gateway CLI
 From expert mode, type: pdp
monitor all | more to get the
ip address of
[email protected]

Note: For this exercise, its best to connect to the gateway using MobaXterm.

©2020 Check Point Software Technologies Ltd. 16

Identity Awareness Lab
Test Identity Awareness
• Issue the command:
• # pdp control revoke_ip 192.168.101.201
• This will revoke Joe’s identity mapping on the gateway.

©2020 Check Point Software Technologies Ltd. 17

Identity Awareness Lab
Test Identity Awareness
 To test with Internet Explorer or Chrome in incognito mode.
 Launch IE and try to connect to: www.cnn.com and you should be redirected to
the Network Login window.
 If you receive a certificate warning, select Continue to this website.

Note: If you receive a warning, click continue. The Gaia portal cert is different from the gateway certificate.

©2020 Check Point Software Technologies Ltd. 18

Identity Awareness Lab
Test Identity Awareness
 Using the following information, enter the user credentials:

 Username: jroberts Password:Cpwins1!

©2020 Check Point Software Technologies Ltd. 19

Identity Awareness Lab
Test Identity Awareness
 In LOGS & MONITOR, Select Queries -> Access -> Identity Awareness Blade ->
All from the Query favorites.
 Notice in the latest log Identity Source is Captive Portal.
 From Expert Mode, type the following command and press Enter:
  # pdp monitor all | more
 Notice the Client Type has changed to portal.

©2020 Check Point Software Technologies Ltd. 20

Identity Awareness Lab
Test Identity Awareness
• Edit the Internet Access rule to disable Captive Portal. We’ll
use AD Query for user identity for the rest of the lab.
• Right click the Action field.
• Select More.
• Disable Captive Portal.
• Change the Source field from the Access Role to the
Network object, Net_192.168.101.0.
• Install the Policy.

©2020 Check Point Software Technologies Ltd. 21

Advanced Topics

©2020 Check Point Software Technologies Ltd. 22

Identity Awareness Lab
Test Identity Awareness
Use a 3rd party Identity Provider over SAML as an authentication method for
Identity Awareness Gateway (Captive Portal) and for Mobile Access Portal.

SAML Authentication Process Flow

1. An end user asks for a service through the client

browser.

2. The Security Gateway redirects the client browser

to the 3rd party Identity Provider portal to acquire
the end user's identity.

3. The Identity Provider portal authenticates the end

user.

4. The Identity Provider generates a digitally-signed

SAML assertion and sends it back to the client
browser.

5. The client browser forwards the SAML assertion to

the Security Gateway.

6. The Security Gateway validates the SAML assertion

and provides the end user with the service.

©2020 Check Point Software Technologies Ltd. 23

Identity Awareness Lab
Identity Awareness Best Practices
SecureKnowledge sk88520

©2020 Check Point Software Technologies Ltd. 24

Identity Awareness Lab
IA Deployments (Directories, AuthN servers)
Acquisition Source Description Recommended Usage Deployment Considerations

• Easy configuration (requires AD

administrator credentials).
• For organizations that prefer not to
• Identity based auditing and allow administrator users to be
logging. used as service accounts on third
AD Query Gets identity data seamlessly from • Leveraging identity in Internet party devices there is an option to
Active Directory (AD) application control. configure AD Query without AD
• Basic identity enforcement in the administrator privileges, see
internal network. sk43874.
• Preferred for desktop users.
• Only detects AD users and
machines.

Agent installed on a Windows host • Works with Microsoft Active • Windows application with prerequi
acquires identities from Microsoft Directory Domain Controller in sites
Active Directory Domain Controllers large scale environments. .
Identity Collector via the Windows Event Log API or • Integrates with Cisco Identity • Locally managed.
from Cisco Identity Services Engine Services Engine. • See Identity Collector
(ISE) servers via the pxGrid API. • Requires Event Log Readers Technical Overview for
permission credentials. comparison with AD Query.

RADIUS Accounting gets identity data

from RADIUS Accounting Requests
generated by the RADIUS accounting • You must define the Security
Gateway as a RADIUS accounting
client. Identity Awareness uses the • In environments where client.
RADIUS Accounting data from these requests and to get authentication is handled by a
user and device group information RADIUS server. • You must give the RADIUS client
access permissions and create a
from the LDAP server. Firewall rules shared secret.
apply these permissions to users,
computers and networks.

©2020 Check Point Software Technologies Ltd. 25

Identity Awareness Lab
IA Deployments (Browsers, VPN Clients)
Acquisition Source Description Recommended Usage Deployment Considerations

Unidentified users log in with a user • Identity based enforcement for

name and password in a Captive non-AD users (non-Windows and
Browser-Based Authentication - Portal. After authentication, the user guest users) • Used for identity enforcement (not
Captive Portal intended for logging purposes).
clicks a link to go to the destination • You can require deployment of
address. Endpoint Identity Agents

The Transparent Kerberos

Authentication Single-Sign On (SSO)
solution transparently authenticates
users already logged into AD. This
means that a user authenticates to
the domain one time and has access
to all authorized network resources • Used for identity enforcement only
without having to enter credentials (not intended for logging
Browser-Based Authentication - again. If Transparent Kerberos • In AD environments, when known purposes).
Transparent Kerberos Authentication Authentication fails, the user is users are already logged in to the • Transparent Kerberos
redirected to the Captive Portal for domain. Authentication does not use
manual authentication. Endpoint Identity Agents or the
Note -The agent download link and Keep Alive feature.
Keep Alive options are not relevant
when Transparent Kerberos
Authentication SSO is successful. This
because the user does not see the
Captive Portal.

Users who get access using IPSec VPN • Identify and apply identity-based
Remote Access Office Mode can authenticate security policy on users that access • See Choosing Identity Sources.
seamlessly. the organization through VPN.

©2020 Check Point Software Technologies Ltd. 26

Identity Awareness Lab
IA Deployments (Agents, API)
Acquisition Source Description Recommended Usage Deployment Considerations
• Identity enforcement for Data
A lightweight endpoint agent Centers.
• Protecting highly sensitive
Endpoint Identity Agent authenticates users securely with
servers. • See Choosing Identity Sources.
Single Sign-On (SSO).
• When accuracy in detecting
identity is crucial.
Identifies multiple users who
connect from one IP address. A
terminal Server Endpoint Identity • Identify users who use Terminal
Terminal Servers Identity Agent
Agent is installed on the application Servers or a Citrix environment. • See Choosing Identity Sources.
server, which hosts the
terminal/Citrix services.

Acquisition Source Description Recommended Usage Deployment Considerations

• Integrates with 3rd party security
products, such as ForeScout
CounterACT and Aruba Networks
Create and revoke identities, and
ClearPass. • You must properly configure the
query Identity Awareness regarding • Integrates Identity Awareness accessibility and the list of
Identity Web API with authentication systems that authorized API clients.
users, IP addresses, and computers
via a REST API.
Check Point does not regularly • You must create a separate
support. shared secret for each API client.
• Does system administration tasks
such as quick checks of users' IP
address.

©2020 Check Point Software Technologies Ltd. 27

End of Identity
Awareness Lab

©2020 Check Point Software Technologies Ltd. 28