https://community.checkpoint.com/t5/API-CLI-Discussion/CheckPoint-integration-with-ClearPass-via-API-Gateway-is-not/m-p/129808#M6255 <P>In R80.40 and above, you can adjust this via the Identity Conciliation feature.<BR />It's described here:<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk146835&amp;partition=Basic&amp;product=Identity" target="_blank">&nbsp;https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk146835&amp;partition=Basic&amp;product=Identity</A><BR />You will need to contact the TAC to get the exact procedure for your situation.</P> Mon, 20 Sep 2021 20:37:13 GMT PhoneBoy 2021-09-20T20:37:13Z https://community.checkpoint.com/t5/API-CLI-Discussion/CheckPoint-integration-with-ClearPass-via-API-Gateway-is-not/m-p/129113#M6227 <P>I am trying to integrate CheckPoint gateway with Aruba ClearPass in order to use user roles in a CheckPoint GW sent by a ClearPass server.</P><P>In CheckPoint's pdp logs I see that CheckPoint GW is receiving authenticated user's roles, but the problem is that CheckPoint is not attaching these roles to users. If I try to create 'Access roles' in CheckPoint locally&nbsp; then those roles are assigned to authenticated users regardless what ClearPass sends.</P><P>What am I missing? How should I make CheckPoint GW use roles that has been sent by a ClearPass?</P><P>&nbsp;</P><P>All of the configuration that I've done is from this guide:&nbsp;<A href="https://support.hpe.com/hpesc/public/docDisplay?docId=a00091074en_us&amp;docLocale=en_US" target="_blank">https://support.hpe.com/hpesc/public/docDisplay?docId=a00091074en_us&amp;docLocale=en_US</A>&nbsp;.</P><P>&nbsp;</P><P>Thank you,</P> Fri, 10 Sep 2021 13:44:51 GMT https://community.checkpoint.com/t5/API-CLI-Discussion/CheckPoint-integration-with-ClearPass-via-API-Gateway-is-not/m-p/129113#M6227 GLTomas 2021-09-10T13:44:51Z https://community.checkpoint.com/t5/API-CLI-Discussion/CheckPoint-integration-with-ClearPass-via-API-Gateway-is-not/m-p/129115#M6228 <P>The only thing the underlying API allows sending is the identity (user).<BR />The Access Roles must still be defined on the Check Point side and verified e.g. with Active Directory.<BR />That is mentioned in the documentation you provided in a few places, but this first one comes from page 10:</P> <P class="lia-indent-padding-left-30px"><SPAN>When using the Check</SPAN><SPAN>Point Identity Awareness feature (RESTful API or RADIUS Accounting) the userID that </SPAN><SPAN>is received by the firewall typically has to be verifiable as a valid user. Check</SPAN><SPAN>Point will ensure th</SPAN><SPAN>e user exists </SPAN><SPAN>within an authoritative Identity Store, like Active Directory</SPAN><SPAN>.</SPAN></P> <P>&nbsp;</P> Fri, 10 Sep 2021 15:18:10 GMT https://community.checkpoint.com/t5/API-CLI-Discussion/CheckPoint-integration-with-ClearPass-via-API-Gateway-is-not/m-p/129115#M6228 PhoneBoy 2021-09-10T15:18:10Z https://community.checkpoint.com/t5/API-CLI-Discussion/CheckPoint-integration-with-ClearPass-via-API-Gateway-is-not/m-p/129118#M6229 <P>But how about page 6 where it is said that "User Role" attribute <SPAN>can be&nbsp;</SPAN><SPAN>pass</SPAN><SPAN>ed&nbsp;</SPAN><SPAN>from ClearPass&nbsp;</SPAN><SPAN>to Check </SPAN><SPAN>Point?</SPAN></P><P><SPAN>Also under "Appendix C –SQL Authorization Source" on page 34 - it even shows how to extract roles from a ClearPass in order to send them to CheckPoint firewall. Newer version of this document:&nbsp;<A href="https://support.hpe.com/hpesc/public/docDisplay?docId=a00101500en_us" target="_blank" rel="noopener">https://support.hpe.com/hpesc/public/docDisplay?docId=a00101500en_us</A></SPAN></P><P>So as you said, I am&nbsp;<SPAN>defining access roles on the CheckPoint side but those roles are being used automatically,- as far as I imagine, those roles should be picket and used only when ClearPass sends role names to a CheckPoint firewall, isn't it?</SPAN></P><P>Thank you,</P> Fri, 10 Sep 2021 15:49:50 GMT https://community.checkpoint.com/t5/API-CLI-Discussion/CheckPoint-integration-with-ClearPass-via-API-Gateway-is-not/m-p/129118#M6229 GLTomas 2021-09-10T15:49:50Z https://community.checkpoint.com/t5/API-CLI-Discussion/CheckPoint-integration-with-ClearPass-via-API-Gateway-is-not/m-p/129119#M6230 <P>Even if you groups are passed (which I can see the API supports),&nbsp;you still have to create the Access Roles on the Check Point side.<BR />Page 11:</P> <P class="lia-indent-padding-left-30px"><SPAN>To&nbsp;</SPAN><SPAN>ensure&nbsp;</SPAN><SPAN>the identity will not be verified against Check</SPAN><SPAN>Point</SPAN><SPAN>’</SPAN><SPAN>s identity sources</SPAN><SPAN>,&nbsp;</SPAN><SPAN>the </SPAN><SPAN>“</SPAN><SPAN>fetch</SPAN><SPAN>-</SPAN><SPAN>user</SPAN><SPAN>-</SPAN><SPAN>groups</SPAN><SPAN>” </SPAN><SPAN>and “</SPAN><SPAN>fetch</SPAN><SPAN>-</SPAN><SPAN>machine</SPAN><SPAN>-</SPAN><SPAN>groups</SPAN><SPAN>”&nbsp;</SPAN><SPAN>should be set to 0 (zero)</SPAN><SPAN>. </SPAN><SPAN>T</SPAN><SPAN>his is very important for Guest Users.&nbsp;</SPAN><SPAN>Obviously for </SPAN><SPAN>Guest users their </SPAN><SPAN>userIDs do not exist within </SPAN><SPAN>identity&nbsp;</SPAN><SPAN>stores like Active Directory </SPAN><SPAN>as they are transient users. </SPAN><SPAN>Some guest accounts could exist within a direc</SPAN><SPAN>tory but that is not usual. So&nbsp;</SPAN><SPAN>as </SPAN><SPAN>a </SPAN><SPAN>part of th</SPAN><SPAN>e integration,&nbsp;</SPAN><SPAN>identif</SPAN><SPAN>y these users </SPAN><SPAN>and link them to a user group (a configurable Check&nbsp;</SPAN><SPAN>Point attribute called access role).</SPAN></P> Fri, 10 Sep 2021 15:50:32 GMT https://community.checkpoint.com/t5/API-CLI-Discussion/CheckPoint-integration-with-ClearPass-via-API-Gateway-is-not/m-p/129119#M6230 PhoneBoy 2021-09-10T15:50:32Z https://community.checkpoint.com/t5/API-CLI-Discussion/CheckPoint-integration-with-ClearPass-via-API-Gateway-is-not/m-p/129798#M6254 <P>Hello, we have an implementation where CheckPoint is integrated with an AD with an Identity Collector. But when we integrate our CheckPoint with third-party solution and at the same time get identity information from AD and from third party device via Assigning "0" to those values helped. But now I have different problem. W<SPAN>e have an implementation where CheckPoint is integrated with an AD with an Identity Collector. But when we integrate our CheckPoint with third-party solution, GW gets identity information from AD and from third party device via API at the same time,- as a result Checkpoint GW then has two blocks of information about same identity from two different sources (AD and 3rd party tool via API) which leads to a problem, because Access roles then are assigned incorrectly. How to make GW to pay attention only to identities learnt by 3rd party solutions via API?</SPAN></P> Mon, 20 Sep 2021 15:30:12 GMT https://community.checkpoint.com/t5/API-CLI-Discussion/CheckPoint-integration-with-ClearPass-via-API-Gateway-is-not/m-p/129798#M6254 GLTomas 2021-09-20T15:30:12Z https://community.checkpoint.com/t5/API-CLI-Discussion/CheckPoint-integration-with-ClearPass-via-API-Gateway-is-not/m-p/129808#M6255 <P>In R80.40 and above, you can adjust this via the Identity Conciliation feature.<BR />It's described here:<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk146835&amp;partition=Basic&amp;product=Identity" target="_blank">&nbsp;https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk146835&amp;partition=Basic&amp;product=Identity</A><BR />You will need to contact the TAC to get the exact procedure for your situation.</P> Mon, 20 Sep 2021 20:37:13 GMT https://community.checkpoint.com/t5/API-CLI-Discussion/CheckPoint-integration-with-ClearPass-via-API-Gateway-is-not/m-p/129808#M6255 PhoneBoy 2021-09-20T20:37:13Z