This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
heracliosanchez
Explorer
‎2025-08-01 09:11 AM
Jump to solution

NAC solution or third-party integration

Good morning.
Do you know if there is a NAC solution in Checkpoint? And is there good integration with a third party to make a better proposal for some Spark 1800s?

0 Kudos
1 Solution

Accepted Solutions
the_rock
MVP Gold
MVP Gold
‎2025-08-01 03:41 PM
Jump to solution

FWIW, straight from our "friend", chatgpt 🙂

Andy

************************************************

ChatGPT said:

Yes, Check Point does not have a traditional NAC (Network Access Control) solution like Cisco ISE, Aruba ClearPass, or FortiNAC. However, Check Point offers some endpoint and network access control capabilities through its broader security portfolio and does support integration with third-party NAC solutions.

🔐 What Check Point Provides (Directly):

  1. Identity Awareness (IA)

    • Core feature on Check Point gateways (including Spark appliances like the 1800).

    • Allows user-based policies by integrating with AD, LDAP, RADIUS, etc.

    • Can map IPs to users/devices.

  2. Harmony Endpoint / Harmony Connect

    • Endpoint control, posture checks, and compliance.

    • Not true NAC but helps control what devices/users can access what, based on endpoint state.

  3. IoT Protect / Asset Management for IoT

    • Can fingerprint and control IoT assets (but again, not a full NAC suite).

Third-Party NAC Integrations (More Complete NAC Capability)

You can enhance NAC capabilities on Spark 1800s by integrating Check Point with third-party NAC solutions, like:

NAC Solution Integration Quality Notes
Cisco ISE Good Use RADIUS integration + pxGrid (for sharing user/device context). Identity Awareness can pull user context from ISE.
Aruba ClearPass Good Similar to Cisco ISE; supports RADIUS and TACACS. Check Point can consume context via Identity Awareness.
Portnox Moderate Cloud-native NAC. Integrates via RADIUS. Useful in SMB/midmarket where Spark appliances are deployed.
Forescout CounterACT Good Passive & agentless. Can tag and enforce on devices. Integrates via API and RADIUS.
FortiNAC Basic Not commonly integrated with Check Point, but possible via RADIUS and logs.

🔧 How Integration Typically Works

  1. RADIUS Authentication

    • The NAC solution acts as RADIUS server.

    • Spark 1800 authenticates users via the NAC.

    • NAC enforces access policies.

  2. Syslog/API Context Sharing

    • Some NACs send user/IP/device metadata to Check Point via syslog or APIs.

    • Check Point’s Identity Awareness consumes that metadata to apply user-aware policies.

  3. Posture Check + Quarantine VLANs

    • NAC can isolate non-compliant devices before they reach the Spark firewall.

    • Spark then enforces firewall policies after NAC authorizes the device.

📦 For Spark 1800 Use Case

Given that Spark appliances are branch/SOHO-oriented, heavy-duty NACs like ISE or ClearPass might be overkill unless you already use them elsewhere. Consider:

  • Portnox CLEAR – Cloud NAC, scalable, SMB-friendly.

  • Aruba ClearPass OnGuard Lite – Lightweight posture/NAC control.

  • Cisco ISE – Only if enterprise-wide and you need strong endpoint posture.

  • Check Point + Harmony Endpoint – If you're also using Harmony Mobile or Endpoint, posture can be partially enforced.

🧠 Recommendation Strategy

If you want a light NAC enhancement for Spark 1800s, propose:

  • Portnox or ClearPass for NAC,

  • Check Point Identity Awareness + Harmony Endpoint (for posture and integration),

  • Use RADIUS authentication on Spark + Identity Awareness to pull NAC metadata.

View solution in original post

(1)
2 Replies
the_rock
MVP Gold
MVP Gold
‎2025-08-01 03:41 PM
Jump to solution

FWIW, straight from our "friend", chatgpt 🙂

Andy

************************************************

ChatGPT said:

Yes, Check Point does not have a traditional NAC (Network Access Control) solution like Cisco ISE, Aruba ClearPass, or FortiNAC. However, Check Point offers some endpoint and network access control capabilities through its broader security portfolio and does support integration with third-party NAC solutions.

🔐 What Check Point Provides (Directly):

  1. Identity Awareness (IA)

    • Core feature on Check Point gateways (including Spark appliances like the 1800).

    • Allows user-based policies by integrating with AD, LDAP, RADIUS, etc.

    • Can map IPs to users/devices.

  2. Harmony Endpoint / Harmony Connect

    • Endpoint control, posture checks, and compliance.

    • Not true NAC but helps control what devices/users can access what, based on endpoint state.

  3. IoT Protect / Asset Management for IoT

    • Can fingerprint and control IoT assets (but again, not a full NAC suite).

Third-Party NAC Integrations (More Complete NAC Capability)

You can enhance NAC capabilities on Spark 1800s by integrating Check Point with third-party NAC solutions, like:

NAC Solution Integration Quality Notes
Cisco ISE Good Use RADIUS integration + pxGrid (for sharing user/device context). Identity Awareness can pull user context from ISE.
Aruba ClearPass Good Similar to Cisco ISE; supports RADIUS and TACACS. Check Point can consume context via Identity Awareness.
Portnox Moderate Cloud-native NAC. Integrates via RADIUS. Useful in SMB/midmarket where Spark appliances are deployed.
Forescout CounterACT Good Passive & agentless. Can tag and enforce on devices. Integrates via API and RADIUS.
FortiNAC Basic Not commonly integrated with Check Point, but possible via RADIUS and logs.

🔧 How Integration Typically Works

  1. RADIUS Authentication

    • The NAC solution acts as RADIUS server.

    • Spark 1800 authenticates users via the NAC.

    • NAC enforces access policies.

  2. Syslog/API Context Sharing

    • Some NACs send user/IP/device metadata to Check Point via syslog or APIs.

    • Check Point’s Identity Awareness consumes that metadata to apply user-aware policies.

  3. Posture Check + Quarantine VLANs

    • NAC can isolate non-compliant devices before they reach the Spark firewall.

    • Spark then enforces firewall policies after NAC authorizes the device.

📦 For Spark 1800 Use Case

Given that Spark appliances are branch/SOHO-oriented, heavy-duty NACs like ISE or ClearPass might be overkill unless you already use them elsewhere. Consider:

  • Portnox CLEAR – Cloud NAC, scalable, SMB-friendly.

  • Aruba ClearPass OnGuard Lite – Lightweight posture/NAC control.

  • Cisco ISE – Only if enterprise-wide and you need strong endpoint posture.

  • Check Point + Harmony Endpoint – If you're also using Harmony Mobile or Endpoint, posture can be partially enforced.

🧠 Recommendation Strategy

If you want a light NAC enhancement for Spark 1800s, propose:

  • Portnox or ClearPass for NAC,

  • Check Point Identity Awareness + Harmony Endpoint (for posture and integration),

  • Use RADIUS authentication on Spark + Identity Awareness to pull NAC metadata.

(1)
Chris_Atkinson
Employee Employee
Employee
‎2025-08-01 04:58 PM
Jump to solution

Mac-filtering & 802.1x are covered here in addition to the use of Endpoint / Identity Awareness etc.

https://sc1.checkpoint.com/documents/SMB_R81.10.X/AdminGuides_Centrally_Managed/EN/Content/Topics/Co...

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events