cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

User Directory vs. Identity Awareness

Hi, community!

One of our customers is asking for clarification regarding these two blades and honestly we’re kinda having a hard time giving it to them, since the information in course material and admins guides isn't clear enough for them.

I know - and please correct me if I'm wrong or not entirely right - UD is a management blade that will allow us to communicate with an LDAP server and manage users on that server directly from our Check Point infrastructure, as well as define authentication schemes for them; whereas IA will use the identities retrieved from, let's say, an AD, and maps them to their IPs and machine names so we can use that information in rules through access roles.

We've tried that "management vs enforcement" point of view, but they get confused because according to them, some parts of the material state you can have IA without UD, but then the guide says IA uses UD. So, and I quote them, "which one is it?"

Thanks in advance for your comments!

EDIT: they're running R80/R80.10.

0 Kudos
3 Replies

Re: User Directory vs. Identity Awareness

Identity awareness just get identity from a source of authentication that can be used for things like access role and rule based on identity and can't be used for things like changing ad user password from blade like mobile access or endpoint client that require  user directory license.

At least this is what I understand Smiley Happy

0 Kudos

Re: User Directory vs. Identity Awareness

I get this question all the time in CCSA classes.  The TL;DR version of the answer is that as long as you have a firewall running at least R75 and a (free) CPSB-IA license, there is no need to enable UserDirectory or obtain a license for it UNLESS:

1) You want the ability to manage LDAP users in a read/write situation; in the real world this generally happens over the still-quivering dead body of your LDAP server administrator (i.e. practically never!).  This will allow Remote Access VPN users to potentially change an expired password via the Check Point Remote Access VPN software as Marco Valenti‌ observed, and also allow changes to LDAP user passwords/groups directly via the Check Point SmartDashboard (which also requires an extension of the LDAP user schema).  This feature's checkbox is called "User Management" on the LDAP Account Unit object.  (see screenshot below)

2) You want the ability to retrieve CRLs via LDAP instead of the more-typical HTTP or OCSP (not common).  This feature's checkbox is labelled "CRL retrieval" on the LDAP Account Unit object.

3) You need to do an integration to an LDAP server that is not based on Microsoft Active Directory (i.e. Novell eDirectory, Netscape, Lotus Domino, etc).  I've never done an LDAP integration to a server that was not AD in over twenty years of Check Point experience, so that should give you an idea of how common it is.

The "Use UserDirectory for Security Gateways (license required)" checkbox on the Global Properties screen for UserDirectory/SmartDirectory does NOT need to be set for IA to operate, which runs counter to some of Check Point's documentation and the CCSA R80.10 courseware.   When IA's AD Query feature is first set up the wizard automatically creates the needed Account Unit object through the underpinnings of UserDirectory which is where a lot of the confusion comes in.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
Highlighted

Re: User Directory vs. Identity Awareness

Hi there,

Apparently you also need to have a license and active User Directory if you want to use AD groups and users in the Include/Exclude settings of Threat Extraction. It's a bit surprising that such a basic feature requires this license while AD Query should be sufficient.

Getting Started with the Threat Extraction Blade 

n the Exclude/Include Users page, configure these settings:

  • Scan all mail

    Click Exceptions to not include specified users, groups, recipients or senders.

  • Scan mail only for specific users or groups

    Click Configure to select specified User Groups, Recipients or Senders.

    Note:

    A user is an object that can contain an email address with other details.

    A group is an AD group or LDAP group of users

    A recipient is an email address only.

Important: In Global Properties > User Directory, make sure that you have selected the Use User Directory for Security Gateways option.