topic Re: Identity Awareness using Azure AD in Firewall and Security Management

Identity Awareness using Azure AD

adamhi — Tue, 12 May 2020 14:25:03 GMT

Hi,

Possibly a daft question, but can anyone confirm if IA works against Azure AD as opposed to 'normal' AD? This is for an org that won't have any on prem AD at the end of the implementation.

I've had a look through the deployment guide for the version we would be implementing but it doesn't specifically mention Azure as being OK and I understand from our cloud architects that it's a bit different to AD as I know it.

Thanks in advance.

Re: Identity Awareness using Azure AD

PhoneBoy — Wed, 13 May 2020 04:36:32 GMT

@Royi_Priov this is still in EA, right?

Re: Identity Awareness using Azure AD

Royi_Priov — Wed, 13 May 2020 05:55:10 GMT

Hi @adamhi ,

In R80.40, you can use SAML integration with AzureAD for authentication and autorization.

However, in the IDA picker (when you create access roles), you will need to represent the AzureAD objects (users/machines/groups) manually as "Identity Tag" objects.

In R81, the integration of AzureAD in IDA picker will be available, where you can create your AzureAD object and select the objects from AAD same way as you do it on regular AD.

It will be available for EA via R81 EA program. Please contact your local SE for more details.

Re: Identity Awareness using Azure AD

adamhi — Wed, 13 May 2020 18:53:11 GMT

Thanks gents, much appreciated.

This isn't going to be needed until Q2 2021, so I'm not sure we need to look into EA. I'll let the hierarchy know that it is feasible given current tech stack.

Re: Identity Awareness using Azure AD

Royi_Priov — Thu, 14 May 2020 07:27:08 GMT

Hi @adamhi , by that time you will be able to use the GA of this feature (as part of R81).

Good luck 🙂

Re: Identity Awareness using Azure AD

Martins — Mon, 03 Aug 2020 15:12:17 GMT

Hi, just the manager needs to use the R80.40 to work with SAML? Or the gateways too?
Thanks!

Re: Identity Awareness using Azure AD

PhoneBoy — Mon, 03 Aug 2020 15:16:31 GMT

This requires R80.40+ gateways.

Re: Identity Awareness using Azure AD

Royi_Priov — Tue, 04 Aug 2020 08:59:59 GMT

Hi @Martins

I will clarify:

In R80.40 we have added SAML support to IDA captive portal. it means we can use AAD as SAML Identity Provider.
in R81 we have added AzureAD as user directory, which means you can configure entities (users/group/machines) from AAD in Identity Awareness Access Roles objects.

Both features requires both SmartCenter and GW to be in this version.

Re: Identity Awareness using Azure AD

Martins — Tue, 04 Aug 2020 12:51:16 GMT

Hi @Royi_Priov ,
Thank you for clarify.
Can I use SAML with 3rd party (MFA) as a Identity provider to autenticate the VPN ?

Thanks.

Re: Identity Awareness using Azure AD

PhoneBoy — Tue, 04 Aug 2020 19:48:14 GMT

VPN clients currently do not support SAML authentication.
This is planned for a later release.

Re: Identity Awareness using Azure AD

Paul_Grigg — Mon, 26 Oct 2020 06:21:25 GMT

R81 IDA admin guide has two videos regarding SAML and Azure AD configuration. (The SAML video was available in R80.40 admin guide.)

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_IdentityAwareness_AdminGuide/Topics-IDAG/Show-me-the-Videos.htm?tocpath=_____4

Re: Identity Awareness using Azure AD

AntoF — Thu, 25 Feb 2021 07:13:20 GMT

@Royi_Priov - I went through the R81 Identity Awareness admin guide and watched the videos. It shows that it SAML is supported for Captive Portal. Will this also work for the Endpoint Security VPN clients?

Re: Identity Awareness using Azure AD

PhoneBoy — Thu, 25 Feb 2021 07:18:08 GMT

Just answered this in a different thread where you asked the same question: coming soon.

Re: Identity Awareness using Azure AD

Netadmin2020 — Sat, 13 Mar 2021 07:04:25 GMT

Hello !

I am trying to add my azure datacenter to checkpoint but the below message occurs:

Seems that checkpoint cannot establish a connection to azure. Yes i have create a custom app to azure.

Please help. I want to have IDA from Checkpoint to Azure AD.

Thank you

Re: Identity Awareness using Azure AD

PhoneBoy — Sat, 13 Mar 2021 07:23:35 GMT

So…what does it say when you click for details?

Re: Identity Awareness using Azure AD

Netadmin2020 — Sat, 13 Mar 2021 07:27:05 GMT

In which way checkpoint contacts azure?

Do i have to set a policy for this communication?

Re: Identity Awareness using Azure AD

PhoneBoy — Sat, 13 Mar 2021 07:46:10 GMT

I would assume so, yes.
It would be coming from your management in this case, I assume on port 443, to the relevant API endpoint in Azure.

Re: Identity Awareness using Azure AD

Netadmin2020 — Sat, 13 Mar 2021 07:50:13 GMT

You mean the secure management server as a source and destination port 443 to where? can u make an example please?

I have already a rule from sms to everywhere.

Re: Identity Awareness using Azure AD

Netadmin2020 — Sat, 13 Mar 2021 09:45:33 GMT

The traffic for specific node to azure is allowed and from the management server to internet. I don't understand why this connection fails.

Please help

Re: Identity Awareness using Azure AD

PhoneBoy — Sat, 13 Mar 2021 17:13:17 GMT

Recommend a TAC case here unless @Royi_Priov has other suggestions.