This article guides you about Identity Awareness on Check Point firewall devices.
– Identity Awareness (IA) allows you to add user, user group, and machine identities to your security layer. Traditionally, firewalls use IP addresses to monitor traffic and are unaware of the identities of the users and computers behind those IP addresses.
Identity Awareness maps user and computer identities to IP addresses, allowing you to enforce identity-based data auditing and access rights. Identity Awareness is an easy-to-deploy and scalable solution. It is applicable to both Active Directory and non-Active Directory-based networks, as well as to employees and guest users. Check Point supports both local users and external users. Local users are defined on the Security Management Server. External users are people managed by Active Directory, RADIUS, LDAP server.
– Access Role identifies users, computers, and network as an object and can be used as a source or destination in a rule.
– Access Role can include one or more of these objects:
- Networks
- Users and user groups
- Computers and computer groups
- Remote access clients
– Identity Awareness Software Blade provides many methods to obtain a user’s identity, including:
- AD Query,
- Browser-Based,
- Identity Agents,
- RADIUS Accounting,
- Remote Access clients,
- Identity Collector and the Identity Web API.
– In this article we only mention Browser-Based.
1.Enabling Identity Awareness
– Open Security Gateway and check Identity Awareness.
– In the pop-up menu, check AD Query and Browser-Based Authentication
– Select next. Here we will connect to AD Server. In the example AD server is located in the DMZ, with IP address 172.16.20.100.
– You need to specify Domain Name, Username, Password, and IP address of AD server.
– Select Connect and wait “Successfully connected!” message appears and select next.
– A window explains how to set up Browser-Based Authentication, select next.
– This window shows you a summary of the settings and provides brief instructions on how to set up IA with your security policy. Select finish.
– Exit Security Gateway.
– You need to publish the changes.
2.Add Identity Awareness to Security Policy
– Go to objects menu and select New > More > User > Access Role.
– Set a name for the Access Role object.
– Leave Any Network in the Networks Tab. Go to the Users tab and select the group you want to use.
– Select OK.
– Edit Security Policy, in rule number 5, delete LanNetwork object and replace it with Access Role object. object.
– We need activate Captive Portal. Right-click on Accept Action and select More.
– Tick Enable Identity Captive Portal.
– We need to create a rule that allows DNS to work, place this rule above the rule you just edited.
3.Testing Identity Awareness
– Try accessing any website, you will see an authentication prompt from the Captive Portal.
– Enter username and password and select Log In. After successful authentication, you will be able to access the Website. At this point, you will be able to access other websites without additional authentication.
– Open SmartConsole and go to Identity Awareness logs.
– Double click on log entry to see details.
!!! Thank you for following the article!!!
Xem tiếp...