17 January 2011 Administration Guide Identity Awareness R75 © 2011 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses. Important Information Latest Documentation The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=11662 For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com). Revision History Date Description 17 January 2011 Added a new chapter ("Identity Awareness Commands" on page 95) Improved formatting and document layout 30 December 2010 Improved documentation, formatting and document layout 15 December 2010 First release of this document Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Identity Awareness R75 Administration Guide). Contents Important Information 3 Getting Started With Identity Awareness 7 Introduction 7 AD Query 9 Captive Portal 10 Identity Agents 11 Deployment 13 Identity Awareness Scenarios 14 Acquiring Identities for Active Directory Users 14 Acquiring Identities with the Captive Portal 16 Acquiring Identities with Identity Agents 20 Acquiring Identities in Application Control 22 Configuring Identity Awareness 25 Enabling Identity Awareness on the Security Gateway 25 Results of the Wizard 28 Creating Access Roles 28 Using Identity Awareness in the Firewall Rule Base 30 Access Role Objects 31 Negate and Drop 31 Using Identity Awareness in the Application Control Rule Base 31 Source and Destination Fields 32 Negate and Block 33 Configuring Captive Portal in SmartDashboard 33 Portal Network Location 33 Access Settings 33 Authentication Settings 34 Customize Appearance 34 User Access 35 Agent Deployment from the Portal 36 Configuring Identity Agents 36 Identity Agent Types 36 Identity Agent Deployment Methods 38 Server Discovery and Trust 39 Configuring Identity Agents in SmartDashboard 40 Configuring Identity Awareness for a Log Server 42 Enabling Identity Awareness on the Log Server 42 Identity Sources 43 Choosing Identity Sources 43 Advanced AD Query Configuration 43 Configuring Identity Awareness for a Domain Forest (Subdomains) 43 Specifying Domain Controllers per Security Gateway 44 Permissions and Timeout 47 Multiple Gateway Environments 48 Non-English Language Support 48 Performance 48 Troubleshooting 49 Advanced Captive Portal Configuration 51 Customizing Text Strings 51 Adding a New Language 54 Server Certificates 56 Advanced Identity Agents Configuration 58 Customizing Parameters 58 Prepackaging Identity Agent Installation 59 Advanced Deployment 60 Introduction 60 Deployment Options 61 Configuring Clusters in Bridge Mode 61 Preparing Clusters with a Bridge 63 Checking the Bridge Configuration 63 Configuring the External Identity Awareness Gateway 63 Configuring the Cluster 64 Configuring Cluster and Bridge Support 64 Deploying a Test Environment 64 Testing Identity Sources 65 Testing Identity Agents 65 Deployment Scenarios 66 Perimeter Security Gateway with Identity Awareness 66 Data Center Protection 67 Large Scale Enterprise Deployment 67 Network Segregation 69 Distributed Enterprise with Branch Offices 70 Wireless Campus 72 Dedicated Identity Acquisition Gateway 72 Advanced Identity Agent Options 74 Kerberos SSO Configuration 75 Overview 75 How SSO Operates 76 References 76 SSO Configuration 76 Server Discovery and Trust 81 Introduction 81 Discovery and Trust Options 82 Option Comparison 83 Prepackaging Identity Agents 89 Introduction 89 Custom Identity Agent msi 89 Using the cpmsi_tool.exe 89 Sample INI File 93 Deploying a Prepackaged Agent via the Captive Portal 93 Identity Awareness Commands 95 Introduction 95 pdp 96 pdp monitor 96 pdp connections 98 pdp control 98 pdp network 99 pdp debug 99 pdp tracker 100 pdp status 101 pdp update 101 pep 102 pep show 102 pep debug 104 adlog 105 adlog query 105 adlog dc 106 adlog statistics 106 adlog debug 106 adlog control 107 adlog service_accounts 107 test_ad_connectivity 108 Index 109 Page 7 Chapter 1 Getting Started With Identity Awareness In This Chapter Introduction 7 Deployment 13 Identity Awareness Scenarios 14 Introduction Traditionally, firewalls use IP addresses to monitor traffic and are unaware of the user and machine identities behind those IP addresses. Identity Awareness removes this notion of anonymity since it maps users and machine identities. This lets you enforce access and audit data based on identity. Identity Awareness is an easy to deploy and scalable solution. It is applicable for both Active Directory and non-Active Directory based networks as well as for employees and guest users. It is currently available on the Firewall blade and Application Control blade and will operate with other blades in the future. Identity Awareness lets you easily configure network access and auditing based on network location and: The identity of a user The identity of a machine When Identity Awareness identifies a source or destination, it shows the IP address of the user or machine with a name. For example, this lets you create firewall rules with any of these properties. You can define a firewall rule for specific users when they send traffic from specific machines or a firewall rule for a specific user regardless of which machine they send traffic from. Introduction Getting Started With Identity Awareness Page 8 In SmartDashboard, you use Access Role objects to define users, machines and network locations as one object. Identity Awareness also lets you see user activity in SmartView Tracker and SmartEvent based on user and machine name and not just IP addresses. Identity Awareness gets identities from these acquisition sources: AD Query Captive Portal Identity Agent The table below shows how identity sources are different in terms of usage and deployment considerations. Depending on those considerations, you can configure Identity Awareness to use one identity source or a combination of identity sources ("Choosing Identity Sources" on page 43). Introduction Getting Started With Identity Awareness Page 9 Source Description Recommended Usage Deployment Considerations AD Query Gets identity data seamlessly from Microsoft Active Directory (AD) Identity based auditing and logging Leveraging identity in Internet application control Basic identity enforcement in the internal network Easy configuration (requires AD administrator credentials) Preferred for desktop users Only detects AD users and machines Captive Portal Sends unidentified users to a Web portal for authentication Identity based enforcement for non-AD users (non-Windows and guest users) For deployment of Identity Agents Used for identity enforcement (not intended for logging purposes) Identity Agent A lightweight endpoint agent that authenticates securely with Single Sign-On (SSO) Leveraging identity for Data Center protection Protecting highly sensitive servers When accuracy in detecting identity is crucial See Choosing Identity Sources (on page 43). Identity aware gateways can share the identity information that they acquire with other identity aware gateways. In this way, users that need to pass through several enforcement points are only identified once. See Advanced Deployment (on page 60) for more information. AD Query AD Query is an easy to deploy, clientless identity acquisition method. It is based on Active Directory integration and it is completely transparent to the user. The AD Query option operates when: An identified asset (user or machine) tries to access an Intranet resource that creates an authentication request. For example, when a user logs in, unlocks a screen, shares a network drive, reads emails through Exchange, or accesses an Intranet portal. AD Query is selected as a way to acquire identities. The technology is based on querying the Active Directory Security Event Logs and extracting the user and machine mapping to the network address from them. It is based on Windows Management Instrumentation (WMI), a standard Microsoft protocol. The Security Gateway communicates directly with the Active Directory domain controllers and does not require a separate server. No installation is necessary on the clients or on the Active Directory server. How AD Query Operates - Firewall Rule Base Example The steps listed in the example align with the numbers in the image below. 1. The Security Gateway registers to receive security event logs from the Active Directory domain controllers. 2. A user logs in to a desktop computer using his Active Directory credentials. Introduction Getting Started With Identity Awareness Page 10 3. The Active Directory DC sends the security event log to the Security Gateway. The Security Gateway extracts the user and IP information (user name@domain, machine name and source IP address). 4. The user initiates a connection to the Internet. 5. The Security Gateway confirms that the user has been identified and lets him access the Internet based on the policy. Captive Portal The Captive Portal is a tool that acquires identities from unidentified users. It is a simple method that authenticates users through a web interface before granting them access to Intranet resources. When users try to access a protected resource, they get a web page that must fill out to continue. Figure 1-1 Captive Portal Login The Captive Portal option operates when a user tries to access a web resource and all of these apply: The Captive Portal is selected as a way to acquire identities and the redirect option has been set for the applicable rule. Unidentified users cannot access that resource because of rules with access roles in the Firewall / Application Rule Base. But if users are identified, they might be able to access the resource. When these criteria are true, Captive Portal acquires the identities of users. From the Captive Portal users can: Enter an existing user name and password if they have them. For guest users, enter required credentials. Configure what is required in the Portal Settings. [...]... Started With Identity Awareness Page 23 Identity Awareness Scenarios This SmartEvent Intro log entry shows details of an Application Control event with Identity Awareness user and machine identity Getting Started With Identity Awareness Page 24 Chapter 2 Configuring Identity Awareness In This Chapter Enabling Identity Awareness on the Security Gateway Creating Access Roles Using Identity Awareness in... branch Double-click the gateway on which to enable Identity Awareness On the General Properties page > Additional Features section, select Identity Awareness Or From the Gateway Properties tree, select Identity Awareness On the Identity Awareness page, select Enable Identity Awareness The Identity Awareness Configuration wizard opens Page 25 Enabling Identity Awareness on the Security Gateway 5 Select one... (on page 35) Acquiring Identities in Application Control Identity Awareness and Application Control can be used together to add user awareness, machine awareness, and application awareness to the Check Point gateway They work together in these procedures: Getting Started With Identity Awareness Page 22 Identity Awareness Scenarios Use Identity Awareness Access Roles in Application Control rules as... Servers Getting Started With Identity Awareness Page 13 Identity Awareness Scenarios Identity Awareness Scenarios This section describes scenarios in which you can use Identity Awareness to let users access network resources The first 3 scenarios describe different situations of acquiring identities in a Firewall Rule Base environment The last scenario describes the use of Identity Awareness in an Application... Roles Using Identity Awareness in the Firewall Rule Base Using Identity Awareness in the Application Control Rule Base Configuring Captive Portal in SmartDashboard Configuring Identity Agents Configuring Identity Awareness for a Log Server 25 28 30 31 33 36 42 Enabling Identity Awareness on the Security Gateway When you enable Identity Awareness on a Security Gateway, a wizard opens You can use the... Started With Identity Awareness Page 20 Identity Awareness Scenarios After configuration and policy install, users that browse to the Finance Web server will get the Captive Portal and can download the Identity Agent Required SmartDashboard Configuration To make this scenario work, the IT administrator must: 1 Enable Identity Awareness on a gateway and select Identity Agents and Captive Portal as Identity. .. require user input Before you configure Identity Agents, you must think about these elements: Identity Agent type - Full Identity Agent, Light Identity Agent or Custom Identity Agent For the Full Identity Agent you can enforce IP spoofing protection For the Full Identity Agent you can also leverage machine authentication if you define machines in access roles The Custom Identity Agent is a customized installation... access to resources is based on rules in the Firewall Rule Base Getting Started With Identity Awareness Page 16 Identity Awareness Scenarios Required SmartDashboard Configuration To make this scenario work, the IT administrator must: 1 Enable Identity Awareness on a gateway and select Captive Portal as one of the Identity Sources 2 In the Portal Settings window in the User Access section, make sure... pane 7 In the Machines tab, select Enforce IP spoofing protection (requires full identity agent) if you want to enable the packet tagging feature 8 Click OK The access role is added to the Users and Administrators tree Configuring Identity Awareness Page 29 Using Identity Awareness in the Firewall Rule Base Using Identity Awareness in the Firewall Rule Base The Security Gateway examines packets and applies... Started With Identity Awareness Page 19 Identity Awareness Scenarios User Identification in the Logs The SmartView Tracker log below shows how the system recognizes a guest This log entry shows that the system maps the source IP address with the user's identity In this case, the identity is "guest" because that is how the user is identified in the Captive Portal Acquiring Identities with Identity Agents . (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Identity Awareness R75 Administration Guide) . Contents Important Information 3 Getting Started With Identity Awareness 7 Introduction 7 AD Query 9 Captive Portal 10 Identity. Servers. Identity Awareness Scenarios Getting Started With Identity Awareness Page 14 Identity Awareness Scenarios This section describes scenarios in which you can use Identity Awareness. configure Identity Awareness to use one identity source or a combination of identity sources ("Choosing Identity Sources" on page 43). Introduction Getting Started With Identity Awareness