This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
michael3
Participant
‎2023-02-06 07:36 AM

Identity Awareness - Browser Based Authentication change accessibility

Hello,

We have Identity Awareness with Browser based authentication activated, which is accessible "through all Interfaces". We want to change this to the option "According to the Firewall Policy".  What exact rules are needed here? There is no further explantion for the option in the SmartConsole help. I also couldn't find anything online.

When we activated the "According to the Firewall Policy" option once, the Portal was not accessible at all anymore, although there was a rule with the action "accept (display captive portal)".

 

We're running R81.10 T45.

 

 

Preview file
19 KB
0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2023-02-06 02:32 PM

TCP port 443 (https) is what is required for Captive Portal to work.
The rule should just have a simple Accept action (not with Display Captive Portal).

michael3
Participant
‎2023-02-07 09:45 AM
In response to PhoneBoy

Hallo,

thx for your reply, so i would a need a rule like:
Usergroup1 -> GatewayIP (where the Captive portal (should) run) : https accept

But how do I acheive that different User objects are only allowed to access a certain destination then? Does this also mean there are no redirects anymore and customers directly have to enter the Gateway IP or DNS to the Browser?

At the moment we have rules like the following scheme:

Users1 -> DestinationIP1 : services accept(display captive portal)
Users2 -> DestinationnetworkX : services accept(display captive portal)

In the Users Object, LDAP Groups, possible source networks etc are defined.
If the destination is a http site, I'm automatically redirected to Identity Portal.


I mean a redirect is not necesarry, just that I can define different usergroups with different destinations and services

 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-02-07 01:25 PM
In response to michael3

The rule I described allows the Captive Portal to be reached when "According to Firewall Policy" is used.
You still need to have your other rules in place.
Also, HTTPS Inspection must be enabled in order for redirects to occur when the destination site is HTTPS. 

michael3
Participant
‎2023-02-09 09:10 AM
In response to PhoneBoy

Hallo,

thank you very much, I now tried this successfully 🙂

I have one final question: What would I have to change, sucht that there isn't any redirect? So people just have to know that they browse to the Gateway (Identity Portal) first and then after successful login, they can do what they are allowed according to the rules.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-02-09 11:07 AM
In response to michael3

Yes, users can browse to a specific URL on the gateway and authenticate manually.
You can see the precise URL for your environment and configure various aspects of it here:

Screenshot 2023-02-09 at 1.03.14 PM.png

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events