Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
HaTM
Explorer

Identity Awareness - R81.20 For Lab

I setup a virtual lab with Checkpoint Firewall Security Management and Standalone R81.20 to test the integration of the Aruba ClearPass Policy Manager solution. When I enabled the Identity Awareness feature on Checkpoint and tried to post an API to the Firewall address, there was no response. Therefore, I tried using Postman and a browser to the Firewall's API address, but both showed a  404 Error "No URL" result as shown below:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>

<HEAD>
    <TITLE> 404 File Not Found </TITLE>
</HEAD>

<BODY>

    The URL you requested could not be found on this server.
So i really need help to resolve this issue, tks! 
0 Kudos
27 Replies
PhoneBoy
Admin
Admin

What precise steps were taken to enable Identity Awareness on the gateway?
At the very least you need to enable the blade and push policy to the relevant gateway.

0 Kudos
HaTM
Explorer

Hi, tks for your responsed 

I have reinstalled the lab and successfully sent API using Postman. Currently, I am encountering issues sending API from ClearPass Policy Manager to the Firewall. I have configured the Context Server actions on ClearPass and tested by logging in/out users from CP OnGuard Agent; however, I do not see any Identity Awareness logs on Check Point. How can I troubleshoot the log sending/receiving between these two servers? I would greatly appreciate your guidance.

0 Kudos
PhoneBoy
Admin
Admin

I'm not familiar with the integration with Aruba.
Generally speaking, though:

  • Users should be communicated to our gateways via the IDA API 
  • Groups (necessary for Access Roles) will come from LDAP (usually from on-premise Active Directory)

I'd start by checking the Aruba side of this to make sure it is sending us information.
A simple tcpdump should verify the Aruba server is sending traffic to the gateway on port 443.

0 Kudos
HaTM
Explorer

Thank you for your response. I have currently opened a support case with Aruba TAC to debug why the API is not being sent from ClearPass. I have an additional question: with this integration, does CheckPoint require user authentication (via LDAP or AD)? Can I create a dynamic policy to manage user access on CheckPoint based solely on parameters such as IP address and the ClearPass PC health check results?

0 Kudos
PhoneBoy
Admin
Admin

Identity Awareness receives information via Identity Agents, Identity Collector, or the Identity Awareness API (e.g. for Aruba Clearpass).
Among this information is the user...which is not strictly required.
However, one or more Identity Tags would probably need to be defined to create the relevant Access Policy rules.

0 Kudos
HaTM
Explorer

Hi, i tried to post API to Firewall IA API via Postman with this content: 

{"shared-secret":"**********", "user": "NACAdmin","ip-address":"1.2.3.4","identity-source": "Aruba ClearPass Policy Manager","calculate-roles":0,"fetch-user-groups": 0,"fetch-machine-groups": 0,"roles": "[%{Role Test}]"}

But i got result: 

   "message": "Unexpected type 'string' for parameter 'roles' in object of type 'add-identity'. Type should be convertible to array"
 
So how can i push roles of user to Firewall ? cus at Checkpoint's guide here https://sc1.checkpoint.com/documents/latest/IdentityAPIs/#web/add-identity~v1%20 
i can send role name to CP. 
0 Kudos
PhoneBoy
Admin
Admin

Roles needs to be an array, which are enclosed in square brackets.
The roles listed between the square brackets must be enclosed in quotes (i.e. strings).
Your JSON should look like this:

 

{
  "shared-secret": "**********",
  "user": "NACAdmin",
  "ip-address": "1.2.3.4",
  "identity-source": "Aruba ClearPass Policy Manager",
  "calculate-roles": 0,
  "fetch-user-groups": 0,
  "fetch-machine-groups": 0,
  "roles": ["Role Test"]
}

 

 

0 Kudos
HaTM
Explorer

Hi Phone Boy, Thank for your reply.  

I have successfully sent a manual API and the Checkpoint Firewall has added identity for the User. Currently, I am having an issue with ClearPass sending the API automatically to Checkpoint. Through capturing packets with Wireshark at the Firewall, I observed that there was a POST message sent from ClearPass.  However, there is no record in the log blade:IA. What should I do to debug this case, please help me

0 Kudos
PhoneBoy
Admin
Admin

Can you see the exact API call with JSON body sent by Clearpass to the gateway?
Without that, and given that you were able to make a successful API call on your own, I assume this issue is on the Clearpass side.

0 Kudos
HaTM
Explorer

Yes, i have capture on Wireshark about API packet sent to Checkpoint, ClearPass is not enclosing the ip-address parameter in outgoing communications, thus the current issue lies with ClearPass. I have opened a case with Aruba TAC and hope they can assist me in resolving this issue. Additionally, I would like to inquire about licenses for the lab. Where can I obtain a temporary license, as my current lab setup will run out of its license in a few days?

0 Kudos
PhoneBoy
Admin
Admin

You can generate evaluation licenses via UserCenter, as described here: https://community.checkpoint.com/t5/General-Topics/How-to-Request-an-Evaluation-License-for-Security...

 

0 Kudos
HaTM
Explorer

Hi, kindly answer my one more question. When i turn-up Identity Awareness on Firewall and use AD Query option. To connect the Firewall to the AD/LDAP server, I see there is a note that an Administrator account must be used. So, what is the admin account here? What are its privileges (e.g., domain admin, schema admin, or some other admin)? Do you have any documentation about this that you can share?

image.png

 

0 Kudos
PhoneBoy
Admin
Admin

Start here: https://support.checkpoint.com/results/sk/sk93938
If you don't like users being part of the "Server Operators" group, see also: https://support.checkpoint.com/results/sk/sk104900

In general, we recommend using Identity Collector over ADQuery: https://support.checkpoint.com/results/sk/sk60301 

0 Kudos
HaTM
Explorer

To integrate Firewall Checkpoint with an OpenLDAP server, what level of user permissions do I need to create at the LDAP end for the Firewall to be able to use the AD Query feature? Kindly guide me, tks! 

0 Kudos
PhoneBoy
Admin
Admin

ADQuery uses WMI, which I'm fairly certain OpenLDAP does not implement.
In any case, we don't support the use of OpenLDAP for Identity Awareness.

0 Kudos
HaTM
Explorer

Hi PhoneBoy, 

I have successfully sent an API from ClearPass to Checkpoint. However, now I have a new issue with updating the Access Role on the Firewall. For every Role value that I send with the variable "calculate-roles" = 1, the Firewall automatically updates all my users into all the existing Access Roles on the Firewall.

2024-07-06_16-49-28.png

How can I update the role for the user correctly on the firewall? Please guide me, thank you.

0 Kudos
PhoneBoy
Admin
Admin

To use groups sent through the Identity Awareness API, they have to be created as Identity Tags using the same capitalization as defined on the source.
See: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_IdentityAwareness_AdminGuide... 

0 Kudos
HaTM
Explorer

Hi PhoneBoy, 
My config for Access Role with Specified network below: 

Subnet added: 10.84.3.0/24Subnet added: 10.84.3.0/24
Subnet added: 10.84.3.0/24
when user login successfully, i only see the successful login logs follow:
Log details 1.PNGUser login successfully 1.PNG

So I'm confused whether without the Access Role Up log, whether this User of mine can be correctly mapped to that CPPM Access Role or not?

 

 

0 Kudos
PhoneBoy
Admin
Admin

The log you provided shows the roles that were mapped to the user (in your example CPPM).

0 Kudos
HaTM
Explorer

Hi PhoneBoy, thank for your response. One more question, with this log below, is my user was updated with new Access Role when new api sent to Firewall ? 

Access Role Update.png

0 Kudos
PhoneBoy
Admin
Admin

Did you check the full log card of each entry?
I assume it would be listed there if it was updated.

0 Kudos
HaTM
Explorer

Yes, i checked full log card of each entry and see user login successful with new roles. But at the PC test i dont see affected. 

0 Kudos
PhoneBoy
Admin
Admin

"I don't see affected" please provide specifics about how you determined this.
Include screenshots of relevant rules and log entries (redacting sensitive details).

0 Kudos
HaTM
Explorer

Hi PhoneBoy, 
Now i have new issue when operating with IA. In the log IA on Firewall i see user login successful like this

Login Successful IA.png

However, with this PC, its traffic is still being processed by the Deny rule in the Policy instead of going through the Accept rule

Rule policy.png

On the same PC, when I tried logging back into the ClearPass Agent with a different user, the traffic followed the correct path immediately. However, this issue only occurs the first time I apply the policy to direct the traffic. Once the users/IPs are stabilized, the issue no longer persists.

On Access Role setting, i specify source with IP pool only, User with "Any users" options. Should i try specify user with Authentication source like ClearPass (Source content of API) ? 

0 Kudos
PhoneBoy
Admin
Admin

"this issue only occurs the first time I apply the policy to direct the traffic" please describe in more detail the precise steps taken here.
As far as I know, you can only specify Remote Access Clients as a specific identity source in an Access Role.

0 Kudos
HaTM
Explorer

"this issue only occurs the first time I apply the policy to direct the traffic" - that i mean when i retry to send logout and re-login/login with another user and traffic go through stable, this issue no longer affect. 

And this issue also occurs randomly within an IP pool when I configure the policy. Even though the devices are on the same network segment, it only happens on one or a few PCs.

0 Kudos
PhoneBoy
Admin
Admin

So it's only the first login on which this occurs, correct?
Further, it's not consistent, correct?

You're probably going to need a TAC case to investigate this.
https://help.checkpoint.com 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events