This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Biju_Nair
Contributor
‎2017-10-29 01:48 AM

User based access rules in firewall

Hi,

I wish to implement a user based access rules in firewall. I am using 13k series firewall as a data center firewall.

Access from user workstation to server should be based on "user logon" information. (Source as a AD user and dst would be a server IP)

Based on my knowledge, I assume that this is simple by using LDAP integration. However, what I wish to know is the backend process that Firewall uses to identify the user logon information. Like, does the firewall checks the user id info along with IP address also using WMI interface ? If that is the case, for how long does it keeps the information of IP address with the user id.

Regards,

Biju

0 Kudos
6 Replies
Timothy_Hall
MVP Gold
MVP Gold
‎2017-10-29 06:26 AM

The process you are referring to is called "AD Query" by Check Point.  A process called pdpd on the firewall uses WMI to monitor certain entries being written to the domain controller's security log, such as domain logons (kerberos ticket assignments) and domain/ticket renewals.  When pdpd receives a security log entry of this nature, it puts a user to IP mapping in the firewall's cache, and at that time also performs an additional query against AD to see what AD groups the user is a member of.  By default the mapping will be kept in the firewall's cache for a maximum of 12 hours, unless a renewal or other event is received for that same mapping, at which time the 12-hour countdown will start again.

The monitoring of the domain controller's security log can be "outsourced" from the firewall to the Windows-based  Identity Collector software in R80.10, which uses a special API interface to monitor security log entries instead of WMI. This API process is more efficient and reduces the load imposed on the domain controller. 

The official Identity Awareness Administration Guide documentation should be able to answer any further questions, as well as:

sk86441: ATRG: Identity Awareness

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Biju_Nair
Contributor
‎2017-10-29 06:42 AM
In response to Timothy_Hall

Thanks Tim.

Does that means that the details received by pdpd through WMI is only related to user logon.

On what basis does the pdpd maps the user with IP.

Regards,

Biju Nair

Sent from my iPhone

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2017-10-29 07:34 AM
In response to Biju_Nair

The mapping is formed via AD Query based on these events occurring in the DC's security log:

  • On 2003 Domain controllers the events are 672, 673 and 674
  • On 2008 and up Domain controllers the events are 4624, 4768, 4769 and 4770

    *4624: An account was successfully logged on.
    *4768: A Kerberos authentication ticket (TGT) was requested.
    *4769: A Kerberos service ticket was requested.
    *4770: A Kerberos service ticket was renewed.

There are many other options for forming mappings such as RADIUS accounting, captive portal, and in R80.10 an API interface that can form mappings on the firewall based on just about anything.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Neil_ZInk
Collaborator
‎2017-10-31 05:49 AM

you can also use Identity collector -> sk108235 

0 Kudos
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2017-11-01 03:25 AM

I would stay away from WMI and AD query based approach. It fits small to medium size companies up to few hundred users according to our "experience".

Go with IDC as Neil said:

  • much more reliable and robust solution
  • less impact on domain controllers
  • less CPU usage by PDP and PEP daemons

We've been running IA rules for last 2.5 years and had a very bumpy road with AD queries and at the end were forced to ditch it completely. We are 25k+ user company

Feel free to PM me if you want more details

0 Kudos
Daniel_Taney
Advisor
‎2017-11-10 08:20 AM

I would just also add to this that you may want to consider deploying the Identity Awareness Agent to your machines, as well. This agent reports user data back to the PDP server at definable time intervals. We were having huge problems with consistency in IA rules being applied for users who roam between Wired / Wireless connections throughout our various buildings. The AD Query couldn't keep the user information "fresh" with that much movement unless they were authenticating to things on the Domain. 

The IA Agent solves this problem by forcing regular checkins to the PDP server and keeps the user information better up to date. 

R80 CCSA / CCSE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events