Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
GLTomas
Explorer

CheckPoint integration with ClearPass via API - Gateway is not using ClearPass roles

I am trying to integrate CheckPoint gateway with Aruba ClearPass in order to use user roles in a CheckPoint GW sent by a ClearPass server.

In CheckPoint's pdp logs I see that CheckPoint GW is receiving authenticated user's roles, but the problem is that CheckPoint is not attaching these roles to users. If I try to create 'Access roles' in CheckPoint locally  then those roles are assigned to authenticated users regardless what ClearPass sends.

What am I missing? How should I make CheckPoint GW use roles that has been sent by a ClearPass?

 

All of the configuration that I've done is from this guide: https://support.hpe.com/hpesc/public/docDisplay?docId=a00091074en_us&docLocale=en_US .

 

Thank you,

0 Kudos
5 Replies
PhoneBoy
Admin
Admin

The only thing the underlying API allows sending is the identity (user).
The Access Roles must still be defined on the Check Point side and verified e.g. with Active Directory.
That is mentioned in the documentation you provided in a few places, but this first one comes from page 10:

When using the CheckPoint Identity Awareness feature (RESTful API or RADIUS Accounting) the userID that is received by the firewall typically has to be verifiable as a valid user. CheckPoint will ensure the user exists within an authoritative Identity Store, like Active Directory.

 

0 Kudos
GLTomas
Explorer

But how about page 6 where it is said that "User Role" attribute can be passed from ClearPass to Check Point?

Also under "Appendix C –SQL Authorization Source" on page 34 - it even shows how to extract roles from a ClearPass in order to send them to CheckPoint firewall. Newer version of this document: https://support.hpe.com/hpesc/public/docDisplay?docId=a00101500en_us

So as you said, I am defining access roles on the CheckPoint side but those roles are being used automatically,- as far as I imagine, those roles should be picket and used only when ClearPass sends role names to a CheckPoint firewall, isn't it?

Thank you,

0 Kudos
PhoneBoy
Admin
Admin

Even if you groups are passed (which I can see the API supports), you still have to create the Access Roles on the Check Point side.
Page 11:

To ensure the identity will not be verified against CheckPoints identity sourcesthe fetch-user-groupsand “fetch-machine-groups” should be set to 0 (zero). This is very important for Guest Users. Obviously for Guest users their userIDs do not exist within identity stores like Active Directory as they are transient users. Some guest accounts could exist within a directory but that is not usual. So as a part of the integration, identify these users and link them to a user group (a configurable Check Point attribute called access role).

0 Kudos
GLTomas
Explorer

Hello, we have an implementation where CheckPoint is integrated with an AD with an Identity Collector. But when we integrate our CheckPoint with third-party solution and at the same time get identity information from AD and from third party device via Assigning "0" to those values helped. But now I have different problem. We have an implementation where CheckPoint is integrated with an AD with an Identity Collector. But when we integrate our CheckPoint with third-party solution, GW gets identity information from AD and from third party device via API at the same time,- as a result Checkpoint GW then has two blocks of information about same identity from two different sources (AD and 3rd party tool via API) which leads to a problem, because Access roles then are assigned incorrectly. How to make GW to pay attention only to identities learnt by 3rd party solutions via API?

0 Kudos
PhoneBoy
Admin
Admin

In R80.40 and above, you can adjust this via the Identity Conciliation feature.
It's described here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solu...
You will need to contact the TAC to get the exact procedure for your situation.

0 Kudos