topic Re: Captive portal for linux SSH or Terminal windows in Firewall and Security Management

Captive portal for linux SSH or Terminal windows

Blason_R — Thu, 21 Mar 2019 14:53:35 GMT

Hi there,

Is anyone aware if any mechanism exists to leverage Identity awareness when I would like to pass through Firewall with captive Portal enabled while using SSH or Linux with no GUI Terminal?

With browser Yes it's pretty much possible; but what if the GUI is not available?

Thanks and Regards,

Blason R

Re: Captive portal for linux SSH or Terminal windows

G_W_Albrecht — Thu, 21 Mar 2019 15:09:44 GMT

Captive Portal is made for Browser Based Auth only - you could do a RFE here: Products and Feature Suggestions

Re: Captive portal for linux SSH or Terminal windows

Blason_R — Thu, 21 Mar 2019 15:11:14 GMT

Okies and thanks for the reply.

Re: Captive portal for linux SSH or Terminal windows

PhoneBoy — Fri, 22 Mar 2019 05:09:05 GMT

Identity Awareness has an API.
Perhaps you can script up something that gives your Linux machine an identity?

Re: Captive portal for linux SSH or Terminal windows

Blason_R — Fri, 22 Mar 2019 05:33:08 GMT

Thanks buddy!!

Re: Captive portal for linux SSH or Terminal windows

Wolfgang — Fri, 22 Mar 2019 07:51:32 GMT

In the older times there was a possibility to telnet to port 259 on the gateway. This worked via a rule with "Client Auth" as action...

This very old document gives a good description of how to configure

http://downloads.checkpoint.com/dc/download.htm?ID=12297

But with "Client Auth" there are some limitations shown in sk115961

We had customers using this with R77.30, but never tried on R80.xx

Re: Captive portal for linux SSH or Terminal windows

G_W_Albrecht — Fri, 22 Mar 2019 08:08:00 GMT

You can find another answer in sk115242: The Linux user can use the supported SNX build for Linux CLI implementation from sk90240 (Build 800007075) instead of the Captive Portal ! See also SSL Network Extender E75 CLI Support for Mobile Access Blade Release Notes.

Re: Captive portal for linux SSH or Terminal windows

PhoneBoy — Fri, 22 Mar 2019 15:40:53 GMT

Client Auth has been deprecated. That said, there are a few use cases where Client Auth still makes sense (like this one).

Re: Captive portal for linux SSH or Terminal windows

Blason_R — Tue, 26 Mar 2019 04:05:04 GMT

Well, the use case here is; since we have a customer whose servers are placed in DMZ and then users can access the DMZ servers and then since those are servers have outbound https access opens they do SSL Tunneling to certain sites and access it. I understand we can harden it on SSH bu disabling SSH Port forwarding but I see cases where the user has setup Squid proxy on a server and since the server has ANY Access to http/https they are able to access the internet through it.

Hence even if they take SSH of the server wondering if Captive portal could have been a better option for accessing the Internet?

Re: Captive portal for linux SSH or Terminal windows

PhoneBoy — Tue, 26 Mar 2019 22:18:11 GMT

SSH can also be a SOCKS proxy as well, so there's another potential hole to close.

Re: Captive portal for linux SSH or Terminal windows

Ken_Dickey — Thu, 28 Mar 2019 13:41:15 GMT

RDP sessions to jump hosts in SCADA environments is another use case. I used to configure Client Auth with RSA MFA just for that purpose. Is this no loner possible in R80?

Re: Captive portal for linux SSH or Terminal windows

Daniel_Taney — Thu, 28 Mar 2019 15:38:21 GMT

Client Auth still exists in R80.x but if memory serves, it can cause weird issues with your policy if you are using layers. We still have Client Auth rules in a couple of policies and I seem to remember testing things on a lab GW and being given some error when I tried to mix layers and Client Auth rules.

So, while the feature is still there, it may interfere with your ability to make use of newer Check Point features.

Re: Captive portal for linux SSH or Terminal windows

PhoneBoy — Thu, 28 Mar 2019 18:07:05 GMT

Yes, it will.
Refer to: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk115961

Re: Captive portal for linux SSH or Terminal windows

Bogdan_Tatomir1 — Tue, 16 Jul 2019 14:43:40 GMT

Going back to "Captive Portal is made for Browser Based Auth only".

While this is perfectly true, browser communication in the end is just HTTP GET and HTTP POST requests.

If we would to capture a HTTP session between a, let's say Windows supported browser, and the IDA portal auth, with Fiddler or similar, and then extract and replicate the HTTP post of the authentication itself, and then script that into the linux cli box ?

Would this work ?

Afaik, Captive portal does not require any ongoing resources (keep-alive window open / cookies validation /etc) and once the IP and username have been linked on the FW side, it remains so until the configured session timeout.