topic Re: Identity Awareness - R81.20 For Lab in Firewall and Security Management

Identity Awareness - R81.20 For Lab

HaTM — Thu, 23 May 2024 02:01:15 GMT

I setup a virtual lab with Checkpoint Firewall Security Management and Standalone R81.20 to test the integration of the Aruba ClearPass Policy Manager solution. When I enabled the Identity Awareness feature on Checkpoint and tried to post an API to the Firewall address, there was no response. Therefore, I tried using Postman and a browser to the Firewall's API address, but both showed a 404 Error "No URL" result as shown below:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<HTML>

<HEAD>

<TITLE> 404 File Not Found </TITLE>

</HEAD>

<BODY>

The URL you requested could not be found on this server.

So i really need help to resolve this issue, tks!

Re: Identity Awareness - R81.20 For Lab

PhoneBoy — Thu, 23 May 2024 20:40:31 GMT

What precise steps were taken to enable Identity Awareness on the gateway?
At the very least you need to enable the blade and push policy to the relevant gateway.

Re: Identity Awareness - R81.20 For Lab

HaTM — Fri, 24 May 2024 01:39:59 GMT

Hi, tks for your responsed

I have reinstalled the lab and successfully sent API using Postman. Currently, I am encountering issues sending API from ClearPass Policy Manager to the Firewall. I have configured the Context Server actions on ClearPass and tested by logging in/out users from CP OnGuard Agent; however, I do not see any Identity Awareness logs on Check Point. How can I troubleshoot the log sending/receiving between these two servers? I would greatly appreciate your guidance.

Re: Identity Awareness - R81.20 For Lab

PhoneBoy — Fri, 24 May 2024 14:49:37 GMT

I'm not familiar with the integration with Aruba.
Generally speaking, though:

Users should be communicated to our gateways via the IDA API
Groups (necessary for Access Roles) will come from LDAP (usually from on-premise Active Directory)

I'd start by checking the Aruba side of this to make sure it is sending us information.
A simple tcpdump should verify the Aruba server is sending traffic to the gateway on port 443.

Re: Identity Awareness - R81.20 For Lab

HaTM — Mon, 27 May 2024 01:50:27 GMT

Thank you for your response. I have currently opened a support case with Aruba TAC to debug why the API is not being sent from ClearPass. I have an additional question: with this integration, does CheckPoint require user authentication (via LDAP or AD)? Can I create a dynamic policy to manage user access on CheckPoint based solely on parameters such as IP address and the ClearPass PC health check results?

Re: Identity Awareness - R81.20 For Lab

PhoneBoy — Tue, 28 May 2024 16:15:51 GMT

Identity Awareness receives information via Identity Agents, Identity Collector, or the Identity Awareness API (e.g. for Aruba Clearpass).
Among this information is the user...which is not strictly required.
However, one or more Identity Tags would probably need to be defined to create the relevant Access Policy rules.

Re: Identity Awareness - R81.20 For Lab

HaTM — Mon, 03 Jun 2024 02:36:50 GMT

Hi, i tried to post API to Firewall IA API via Postman with this content:

{"shared-secret":"**********", "user": "NACAdmin","ip-address":"1.2.3.4","identity-source": "Aruba ClearPass Policy Manager","calculate-roles":0,"fetch-user-groups": 0,"fetch-machine-groups": 0,"roles": "[%{Role Test}]"}

But i got result:

"message": "Unexpected type 'string' for parameter 'roles' in object of type 'add-identity'. Type should be convertible to array"

So how can i push roles of user to Firewall ? cus at Checkpoint's guide here https://sc1.checkpoint.com/documents/latest/IdentityAPIs/#web/add-identity~v1%20

i can send role name to CP.

Re: Identity Awareness - R81.20 For Lab

PhoneBoy — Mon, 03 Jun 2024 13:36:30 GMT

Roles needs to be an array, which are enclosed in square brackets.
The roles listed between the square brackets must be enclosed in quotes (i.e. strings).
Your JSON should look like this:

{ "shared-secret": "**********", "user": "NACAdmin", "ip-address": "1.2.3.4", "identity-source": "Aruba ClearPass Policy Manager", "calculate-roles": 0, "fetch-user-groups": 0, "fetch-machine-groups": 0, "roles": ["Role Test"] }

Re: Identity Awareness - R81.20 For Lab

HaTM — Tue, 04 Jun 2024 08:20:37 GMT

Hi Phone Boy, Thank for your reply.

I have successfully sent a manual API and the Checkpoint Firewall has added identity for the User. Currently, I am having an issue with ClearPass sending the API automatically to Checkpoint. Through capturing packets with Wireshark at the Firewall, I observed that there was a POST message sent from ClearPass. However, there is no record in the log blade:IA. What should I do to debug this case, please help me

Re: Identity Awareness - R81.20 For Lab

PhoneBoy — Tue, 04 Jun 2024 18:27:57 GMT

Can you see the exact API call with JSON body sent by Clearpass to the gateway?
Without that, and given that you were able to make a successful API call on your own, I assume this issue is on the Clearpass side.

Re: Identity Awareness - R81.20 For Lab

HaTM — Wed, 05 Jun 2024 02:55:04 GMT

Yes, i have capture on Wireshark about API packet sent to Checkpoint, ClearPass is not enclosing the ip-address parameter in outgoing communications, thus the current issue lies with ClearPass. I have opened a case with Aruba TAC and hope they can assist me in resolving this issue. Additionally, I would like to inquire about licenses for the lab. Where can I obtain a temporary license, as my current lab setup will run out of its license in a few days?

Re: Identity Awareness - R81.20 For Lab

PhoneBoy — Wed, 05 Jun 2024 23:44:24 GMT

You can generate evaluation licenses via UserCenter, as described here: https://community.checkpoint.com/t5/General-Topics/How-to-Request-an-Evaluation-License-for-Security-Gateways-and/m-p/40391#M8499

Re: Identity Awareness - R81.20 For Lab

HaTM — Mon, 24 Jun 2024 07:48:16 GMT

Hi, kindly answer my one more question. When i turn-up Identity Awareness on Firewall and use AD Query option. To connect the Firewall to the AD/LDAP server, I see there is a note that an Administrator account must be used. So, what is the admin account here? What are its privileges (e.g., domain admin, schema admin, or some other admin)? Do you have any documentation about this that you can share?

Re: Identity Awareness - R81.20 For Lab

PhoneBoy — Mon, 24 Jun 2024 16:32:09 GMT

Start here: https://support.checkpoint.com/results/sk/sk93938
If you don't like users being part of the "Server Operators" group, see also: https://support.checkpoint.com/results/sk/sk104900

In general, we recommend using Identity Collector over ADQuery: https://support.checkpoint.com/results/sk/sk60301

Re: Identity Awareness - R81.20 For Lab

HaTM — Tue, 25 Jun 2024 09:00:05 GMT

To integrate Firewall Checkpoint with an OpenLDAP server, what level of user permissions do I need to create at the LDAP end for the Firewall to be able to use the AD Query feature? Kindly guide me, tks!

Re: Identity Awareness - R81.20 For Lab

PhoneBoy — Tue, 25 Jun 2024 15:27:42 GMT

ADQuery uses WMI, which I'm fairly certain OpenLDAP does not implement.
In any case, we don't support the use of OpenLDAP for Identity Awareness.

Re: Identity Awareness - R81.20 For Lab

HaTM — Sat, 06 Jul 2024 09:51:12 GMT

Hi PhoneBoy,

I have successfully sent an API from ClearPass to Checkpoint. However, now I have a new issue with updating the Access Role on the Firewall. For every Role value that I send with the variable "calculate-roles" = 1, the Firewall automatically updates all my users into all the existing Access Roles on the Firewall.

How can I update the role for the user correctly on the firewall? Please guide me, thank you.

Re: Identity Awareness - R81.20 For Lab

PhoneBoy — Mon, 08 Jul 2024 18:47:14 GMT

To use groups sent through the Identity Awareness API, they have to be created as Identity Tags using the same capitalization as defined on the source.
See: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_IdentityAwareness_AdminGuide/Content/Topics-IDAG/Configuring-Identity-Awareness-Using-Identity-Tags-in-Access-Role-Matching.htm

Re: Identity Awareness - R81.20 For Lab

HaTM — Tue, 09 Jul 2024 16:42:48 GMT

Hi PhoneBoy,
My config for Access Role with Specified network below:

Subnet added: 10.84.3.0/24

when user login successfully, i only see the successful login logs follow:

So I'm confused whether without the Access Role Up log, whether this User of mine can be correctly mapped to that CPPM Access Role or not?

Re: Identity Awareness - R81.20 For Lab

PhoneBoy — Tue, 09 Jul 2024 17:56:25 GMT

The log you provided shows the roles that were mapped to the user (in your example CPPM).