IDENTITY AWARENESS

R80.10 Training
(revised: September 14, 2018)

©2018
©2016 Check Point Software Technologies Ltd. [Confidential] For designated groups and individuals 1
 Identity Awareness Lab

Creating security policy based upon

users is possible using Check Point
integrations with 3rd party user stores
like Microsoft Windows Active
Directory.

In this lab we’ll connect the R80

management server to an Active
Directory server and use this
information in the policy.

©2018 Check Point Software Technologies Ltd. 2

 Gateway IP: 192.168.103.1

External Network
IP: 192.168.103.x VMware:
suspend
Kali
Pen Test Tool
Internal Client

Win-Victim
IP: 192.168.101.100
User: jroberts/Cpwins1!
Default Gtwy: 192.168.101.254
DNS: 192.168.102.2 Internal Network
DNS: 8.8.8.8 IP: 192.168.101.x
VMware:
suspend
Endpoint
Endpoint
Management
EndpointServer
Default Gtwy: 192.168.103.2
IP: 192.168.101.165
User: admin/Cpwins1!
Default Gtwy: 192.168.101.254
DNS: 192.168.102.2
DNS: 8.8.8.8
©2018 Check Point Software Technologies Ltd.
Kali
IP: 192.168.103.100
User: root/Cpwins1!
Default Gtwy: 192.168.103.254
DMZ Network
IP: 192.168.102.x
Management
&
Gateway
VMware:
R80 suspend
Eth0: 192.168.101.254 Ubuntu Active Directory
Eth1: 192.168.102.254 Web Server
Eth2: 192.168.103.254
User: admin / Cpwins1!
GUI : admin / Cpwins1! Ubuntu Win-DC
DNS: 8.8.8.8 IP: 192.168.102.5 IP: 192.168.102.2
User: admin/Cpwins1! User: Administrator /Cpwins1!
Default Gtwy: 192.168.102.254 Domain: LAB.TEST
Default Gtwy: 192.168.102.254
DNS: 127.0.1.1
DNS: 192.168.103.2
DNS: 8.8.8.8
3
 Identity Awareness Lab
Enable Identity Awareness

Enable Identity Awareness on

the Security Gateway.

• From SmartConsole, edit the

Security Gateway object
(R80).

• In the Network Security tab,

verify that Firewall option is
selected.

• Select the Identity Awareness

blade option.

• This launches the Identity

Awareness configuration
wizard.

©2018 Check Point Software Technologies Ltd. 4

 Identity Awareness Lab
Enable Identity Awareness
• In the Wizard, enable both AD query and Browser-Based Authentication
click Next.

©2018 Check Point Software Technologies Ltd. 5

 Identity Awareness Lab
Enable Identity Awareness
• If these fields are not
already populated
then create a new
domain “lab.test”, with
credentials
“Administrator”, and
“Cpwins1!”.

• Click Connect.

Note: If you receive an Error, click Connect one more time. Sometimes the first connection attempt is
dropped in a VM environment. Verify the connection with a ping to 192.168.102.2.
©2018 Check Point Software Technologies Ltd. 6
 Identity Awareness Lab
Enable Identity Awareness
• Notice the default is set • Identity Awareness is Now
to access the portal only Active! appears.
through internal
interfaces. • Click Finish. Click OK.

• Click Next. • Install the policy.

©2018 Check Point Software Technologies Ltd. 7

 Identity Awareness Lab
Enable Identity Awareness
• Edit the R80 object. Click on Identity Awareness branch and check the settings for
Browser Based Authentication (aka Captive Portal) and Active Directory Query.

Notice the other identity sources.

• Identity Agents – Lightweight agent

installed on user’s computers.

• Terminal Servers – agent for terminal

servers.

• RADIUS Accounting – identity from

RADIUS accounting requests.

• Identity Collector – remote collector that

supports AD and Cisco ISE/pxGrid.

• Identity Web API – add, delete, show

users via an API.

• Remote Access - for IPSEC VPN users.

©2018 Check Point Software Technologies Ltd. 8

 Identity Awareness Lab
Enable Identity Awareness
• In the SmartConsole objects pane
(upper right), select Servers ->
LDAP Account Unit -> lab.test_AD.

• Verify that the LDAP account unit,

lab.test_AD, was created.

• Active Directory Query should be

enabled.

• Click cancel to exit.

Note: LDAP Account Units define the profile used to
communicate with external LDAP user directories like
Active Directory. This object also contains the
credentials and other settings needed to communicate
with the LDAP store. To simplify the configuration this
object is set up when the IA Configuration Wizard runs.
©2018 Check Point Software Technologies Ltd. 9
 Identity Awareness Lab
Test Identity Awareness
• Log off from Win-
Victim.
• After logging
back in, browse
to any site.
• Verify the logs
include the user.
• If you like use
Identity
Awareness Blade
query to see
more details.
©2018 Check Point Software Technologies Ltd. 10
 Identity Awareness Lab
Test Identity Awareness
• Captive Portal Scenario: This is a simple method to authenticate
users with a web interface. When users try to access a protected
resource, they enter authentication information in a form that
shows in their browser.

• In rules with access roles, you can add a property in the Action
field to redirect traffic to the Captive Portal. If this property is
added, when the source identity is unknown and traffic is HTTP,
the user is redirected to the Captive Portal. If the source identity
is known, the Action in the rule (Allow or Block) is enforced
immediately and the user is not sent to the Captive Portal.

©2018 Check Point Software Technologies Ltd. 11

 Identity Awareness Lab
Test Identity Awareness
• Open the firewall rulebase and right click the Action field for Rule 5.

• Select More.

• Enable Identity Captive Portal.

• Click OK.

©2018 Check Point Software Technologies Ltd. 12

 Identity Awareness Lab
Test Identity Awareness
• In the Source column right click and remove the
Net_192.168.101.0 object.
• Click + to open the picker.
• Click new and select Access Role.

New

©2018 Check Point Software Technologies Ltd. 13

 Identity Awareness Lab
Test Identity Awareness

• Name the Access

Role known-
internal-net-users.

• In the network tab

select specific
networks:
Net_192.168.101.0

• In the Users and

Machines tab
select Any.

©2018 Check Point Software Technologies Ltd. 14

 Identity Awareness Lab
Test Identity Awareness
• Before exiting, click on Users.

• Click Specific users/groups and click +.

• Notice that you can toggle the icons in the upper right to show just users.

• We could create a specific role, but for this lab select Any User and click OK.

©2018 Check Point Software Technologies Ltd. 15

 Identity Awareness Lab
Test Identity Awareness
• The Internet Access section should now look like the below,
Critical Risk applications and sites in the new rule 4 and
redirecting web traffic to the captive portal in rule 5.

• Install the policy.

©2018 Check Point Software Technologies Ltd. 16

 Identity Awareness Lab
Test Identity Awareness
Test Captive Portal to verify
the configuration.

• Log in to the R80 CLI (via

the Gaia web UI or
console)

• From the restricted admin

shell type expert.

• From expert mode, type:

pdp monitor all | more
to get the ip address of
jroberts@lab.test

©2018 Check Point Software Technologies Ltd. 17

 Identity Awareness Lab
Test Identity Awareness
• Issue the command:
̶ # pdp control revoke_ip 192.168.101.100
• This will revoke Joe’s identity mapping on the gateway.

©2018 Check Point Software Technologies Ltd. 18

 Identity Awareness Lab
Test Identity Awareness
• To test this, close Chrome.

• Instead of opening Chrome

with 3 tabs, launch Chrome
in a new incognito window.

• Right click the Chrome icon incognito

in the system tray.

• Select New incognito

window.

©2018 Check Point Software Technologies Ltd. 19

 Identity Awareness Lab
Test Identity Awareness
• Try to connect to: www.cnn.com and you should be redirected to a
Network Login window.

• Using the following information, enter the user credentials:

• Username: jroberts

• Password: Cpwins1!

©2018 Check Point Software Technologies Ltd. 20

 Identity Awareness Lab
Test Identity Awareness
• If you want to test with Internet Explorer, close Chrome and issue
the “pdp control revoke_ip 192.168.101.100” command again.

• Launch IE and try to connect to: www.cnn.com and you should be

redirected to the Network Login window.

• If you receive a certificate warning, select Continue to this website.

Note: If you receive a warning, click

continue. The Gaia portal cert is
different from the gateway certificate.

©2018 Check Point Software Technologies Ltd. 21

 Identity Awareness Lab
Test Identity Awareness
• In LOGS & MONITOR, Select Queries -> Access -> Identity Awareness
Blade -> All from the Query favorites.

• Notice in the latest log Identity Source is Captive Portal.

• From Expert Mode, type the following command and press Enter:
# pdp monitor all | more

• Notice the Client Type has changed to portal.

©2018 Check Point Software Technologies Ltd. 22

 Identity Awareness Lab
Test Identity Awareness
• Edit the Internet Access rule to disable Captive Portal. We’ll use
AD Query for user identity for the rest of the lab.
• Right click the Action field.
• Select More.
• Disable Captive Portal.
• Change the Source field from the Access Role to the Network
object, Net_192.168.101.0.
• Install the Policy.

©2018 Check Point Software Technologies Ltd. 23

 ADVANCED TOPICS

©2018 Check Point Software Technologies Ltd. [Confidential] For designated groups and individuals
 Identity Awareness Best Practices
SecureKnowledge sk88520

©2018 Check Point Software Technologies Ltd. 25

 IA Deployments (Directories, AuthN servers)
Acquisition Source Description
Gets identity data seamlessly
AD Query
from Active Directory (AD)
Agent installed on a Windows
host acquires identities from
Microsoft Active Directory
Identity Collector Domain Controllers via the
Windows Event Log API or from
Cisco Identity Services Engine
(ISE) servers via the pxGrid API.
RADIUS Accounting gets identity
data from RADIUS Accounting
Requests generated by the
RADIUS accounting client.
Identity Awareness uses the data • In environments where
RADIUS Accounting from these requests and to get
user and device group
information from the LDAP
server. Firewall rules apply these
permissions to users, computers
and networks.
©2018 Check Point Software Technologies Ltd.
Recommended Usage
• Identity based auditing and
logging.
• Leveraging identity in Internet
application control.
• Basic identity enforcement in
the internal network.
• Works with Microsoft Active
Directory Domain Controller in
large scale environments.
• Integrates with Cisco Identity
Services Engine.
• Requires Event Log Readers
permission credentials.
authentication is handled by a
RADIUS server.
Deployment Considerations
• Easy configuration (requires
AD administrator credentials).
• For organizations that prefer
not to allow administrator
users to be used as service
accounts on third party devices
there is an option to configure
AD Query without AD
administrator privileges, see
sk43874.
• Preferred for desktop users.
• Only detects AD users and
machines.
• Windows application with
prerequisites.
• Locally managed.
• See Identity Collector
Technical Overview for
comparison with AD Query.
• You must define the Security
Gateway as a RADIUS
accounting client.
• You must give the RADIUS
client access permissions and
create a shared secret.
26
 IA Deployments (Browsers, VPN Clients)
Acquisition Source Description Recommended Usage Deployment Considerations
Unidentified users log in with a
• Identity based enforcement for
user name and password in a
non-AD users (non-Windows • Used for identity enforcement
Browser-Based Authentication Captive Portal. After
and guest users) (not intended for logging
- Captive Portal authentication, the user clicks a
• You can require deployment of purposes).
link to go to the destination
Endpoint Identity Agents
address.
The Transparent Kerberos
Authentication Single-Sign On
(SSO) solution transparently
authenticates users already
logged into AD. This means that
a user authenticates to the
domain one time and has access
• Used for identity enforcement
to all authorized network
only (not intended for logging
resources without having to enter
Browser-Based Authentication • In AD environments, when purposes).
credentials again. If Transparent
- Transparent Kerberos known users are already • Transparent Kerberos
Kerberos Authentication fails, the
Authentication logged in to the domain. Authentication does not use
user is redirected to the Captive
Endpoint Identity Agents or the
Portal for manual authentication.
Keep Alive feature.
Note -The agent download link
and Keep Alive options are not
relevant when Transparent
Kerberos Authentication SSO is
successful. This because the
user does not see the Captive
Portal.

• Identify and apply identity-

Users who get access using
based security policy on users • See Choosing Identity
Remote Access IPSec VPN Office Mode can
that access the organization Sources.
authenticate seamlessly.
through VPN.
©2018 Check Point Software Technologies Ltd. 27
 IA Deployments (Agents, API)
Acquisition Source Description
A lightweight endpoint agent
Endpoint Identity Agent authenticates users securely with
Single Sign-On (SSO).
Identifies multiple users who
connect from one IP address. A
Terminal Servers Identity terminal Server Endpoint Identity
Agent Agent is installed on the
application server, which hosts
the terminal/Citrix services.
Acquisition Source Description
Create and revoke identities, and
query Identity Awareness
Identity Web API
regarding users, IP addresses,
and computers via a REST API.
©2018 Check Point Software Technologies Ltd.
Recommended Usage Deployment Considerations
• Identity enforcement for Data
Centers.
• Protecting highly sensitive • See Choosing Identity
servers. Sources.
• When accuracy in detecting
identity is crucial.
• Identify users who use
• See Choosing Identity
Terminal Servers or a Citrix
Sources.
environment.
Recommended Usage Deployment Considerations
• Integrates with 3rd party
security products, such as
ForeScout CounterACT and
• You must properly configure
Aruba Networks ClearPass.
the accessibility and the list of
• Integrates Identity Awareness
authorized API clients.
with authentication systems
• You must create a separate
that Check Point does not
shared secret for each API
regularly support.
client.
• Does system administration
tasks such as quick checks of
users' IP address.
28
 End of Lab

©2018
©2016 Check Point Software Technologies Ltd. [Confidential] For designated groups and individuals 29