Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Nikhil_Patil
Participant

AD and Firewall integration

Hi,

One of our customer has Bluecoat proxy(for bandwidth management + URL filtering) and Palo alto(Application fw + IPS)firewall in their network. Network flow  LAN users -->AD server -->Bluecoat proxy --> Palo alto firewall -->Internet.

Customer want to remove Bluecoat proxy and enable the same features on Palo alto firewall. But after AD integration with Palo alto fiewall - Distributed COM Users, Event Log Readers and Server Operators - these groups are not sync. Due to that even if system admin made changes in the AD user group that change is not reflecting in Palo alto user group.

In existing setup Bluecoat proxy perfectly working fine with AD user group sync.

Customer will not change any setting for the Distributed COM Users, Event Log Readers and Server Operators groups.

Now customer asked, If we replace Bluecoat proxy with Checkpoint URL filtering feature + AD integration, will it work?

Please suggest...

Thank you....

8 Replies
_Val_
Admin
Admin

I assume that you by "AD Integration" you mean Identity awareness Software Blade.

To answer your question on whether it will work or not, one needs to see the exact use case. Most probably it will, but it is best to address this question to your local Check Point office or a relevant reseller, so they could look into details and advise.

HeikoAnkenbrand
Champion Champion
Champion

I support Symantec (Bluecoat) SG proxys for many of our customers. From my point of view, you can't replace a Symantec SG with a Check Point. Even though I think Check Point is very good product, as a proxy it can't be compared to a Symantec SG.

If you intend to do that, you should do a POC.

See Migrating the Functionality of a dedicated Proxy Server to Check Point

or  How to configure Check Point Security Gateway as HTTP/HTTPS Proxy discussion.

 

 

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
HeikoAnkenbrand
Champion Champion
Champion

Currently no support for:

- TLS 1.3

- SNI

Only available with R80.30EA and above.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
HeikoAnkenbrand
Champion Champion
Champion

It would be a good solution to use the TEX appliance from Check Point with a Symantec (Bluecoat) SG.

More see here:
Symantec (Bluecoat) SG ICAP and Sandblast (TEX)

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
HeikoAnkenbrand
Champion Champion
Champion

But always do a POC and speake with your locale Check Point SE.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Nikhil_Patil
Participant

Yes. We will do POC to test the required features but before that customer want to know - Can Checkpiont firewall active sync with AD groups or is their any AD group dependency(already mentioned AD group name) as like Palo alto firewall.

Nikhil_Patil
Participant

Yes. We will do POC but before that customer want to know - is their AD group dependency as like Palo alto in Checkpoint or not.
Wolfgang
Authority
Authority

If you mean the Palo Alto problem with adding users to a group in ActiveDirectory and this new users does not appear on the PAN-device... With Check Point this works, you add a user via ActiveDirectory to an AD-group and Check Point device knows this membership.

Wolfgang

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events