https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Awareness-Browser-Based-Authentication-change/m-p/170881#M30950 <P>Yes, users can browse to a specific URL on the gateway and authenticate manually.<BR />You can see the precise URL for your environment and configure various aspects of it here:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2023-02-09 at 1.03.14 PM.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/19527iE9324DEFD8CE8E40/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2023-02-09 at 1.03.14 PM.png" alt="Screenshot 2023-02-09 at 1.03.14 PM.png" /></span></P> Thu, 09 Feb 2023 19:07:08 GMT PhoneBoy 2023-02-09T19:07:08Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Awareness-Browser-Based-Authentication-change/m-p/170470#M30883 <P>Hello,</P><P>We have Identity Awareness with Browser based authentication activated, which is accessible "through all Interfaces". We want to change this to the option "According to the Firewall Policy".&nbsp; What exact rules are needed here? There is no further explantion for the option in the SmartConsole help. I also couldn't find anything online.</P><P>When we activated the "According to the Firewall Policy" option once, the Portal was not accessible at all anymore, although there was a rule with the action "accept (display captive portal)".</P><P>&nbsp;</P><P>We're running R81.10 T45.</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 06 Feb 2023 15:37:12 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Awareness-Browser-Based-Authentication-change/m-p/170470#M30883 michael3 2023-02-06T15:37:12Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Awareness-Browser-Based-Authentication-change/m-p/170518#M30891 <P>TCP port 443 (https) is what is required for Captive Portal to work.<BR />The rule should just have a simple Accept action (not with Display Captive Portal).</P> Mon, 06 Feb 2023 22:32:45 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Awareness-Browser-Based-Authentication-change/m-p/170518#M30891 PhoneBoy 2023-02-06T22:32:45Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Awareness-Browser-Based-Authentication-change/m-p/170627#M30898 <P>Hallo,</P><P>thx for your reply, so i would a need a rule like:<BR />Usergroup1 -&gt; GatewayIP (where the Captive portal (should) run) : https accept</P><P>But how do I acheive that different User objects are only allowed to access a certain destination then? Does this also mean there are no redirects anymore and customers directly have to enter the Gateway IP or DNS to the Browser?</P><P>At the moment we have rules like the following scheme:</P><P>Users1 -&gt; DestinationIP1 : services accept(display captive portal)<BR />Users2 -&gt; DestinationnetworkX : services accept(display captive portal)</P><P>In the Users Object, LDAP Groups, possible source networks etc are defined.<BR />If the destination is a http site, I'm automatically redirected to Identity Portal.</P><P><BR />I mean a redirect is not necesarry, just that I can define different usergroups with different destinations and services</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 07 Feb 2023 17:45:29 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Awareness-Browser-Based-Authentication-change/m-p/170627#M30898 michael3 2023-02-07T17:45:29Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Awareness-Browser-Based-Authentication-change/m-p/170649#M30910 <P>The rule I described allows the Captive Portal to be reached when "According to Firewall Policy" is used.<BR />You still need to have your other rules in place.<BR />Also, HTTPS Inspection must be enabled in order for redirects to occur when the destination site is HTTPS.&nbsp;</P> Tue, 07 Feb 2023 21:25:43 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Awareness-Browser-Based-Authentication-change/m-p/170649#M30910 PhoneBoy 2023-02-07T21:25:43Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Awareness-Browser-Based-Authentication-change/m-p/170871#M30947 <P>Hallo,</P><P>thank you very much, I now tried this successfully <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>I have one final question: What would I have to change, sucht that there isn't any redirect? So people&nbsp;just have to know that they browse to the Gateway (Identity Portal) first and then after successful login, they can do what they are allowed according to the rules.</P> Thu, 09 Feb 2023 17:10:26 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Awareness-Browser-Based-Authentication-change/m-p/170871#M30947 michael3 2023-02-09T17:10:26Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Awareness-Browser-Based-Authentication-change/m-p/170881#M30950 <P>Yes, users can browse to a specific URL on the gateway and authenticate manually.<BR />You can see the precise URL for your environment and configure various aspects of it here:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2023-02-09 at 1.03.14 PM.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/19527iE9324DEFD8CE8E40/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2023-02-09 at 1.03.14 PM.png" alt="Screenshot 2023-02-09 at 1.03.14 PM.png" /></span></P> Thu, 09 Feb 2023 19:07:08 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Awareness-Browser-Based-Authentication-change/m-p/170881#M30950 PhoneBoy 2023-02-09T19:07:08Z