Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Carlos_Machado1
Participant
Jump to solution

User Directory vs. Identity Awareness

Hi, community!

One of our customers is asking for clarification regarding these two blades and honestly we’re kinda having a hard time giving it to them, since the information in course material and admins guides isn't clear enough for them.

I know - and please correct me if I'm wrong or not entirely right - UD is a management blade that will allow us to communicate with an LDAP server and manage users on that server directly from our Check Point infrastructure, as well as define authentication schemes for them; whereas IA will use the identities retrieved from, let's say, an AD, and maps them to their IPs and machine names so we can use that information in rules through access roles.

We've tried that "management vs enforcement" point of view, but they get confused because according to them, some parts of the material state you can have IA without UD, but then the guide says IA uses UD. So, and I quote them, "which one is it?"

Thanks in advance for your comments!

EDIT: they're running R80/R80.10.

1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend

I get this question all the time in CCSA classes.  The TL;DR version of the answer is that as long as you have a firewall running at least R75 and a (free) CPSB-IA license, there is no need to enable UserDirectory or obtain a license for it UNLESS:

1) You want the ability to manage LDAP users in a read/write situation; in the real world this generally happens over the still-quivering dead body of your LDAP server administrator (i.e. practically never!).  This will allow Remote Access VPN users to potentially change an expired password via the Check Point Remote Access VPN software as Marco Valenti‌ observed, and also allow changes to LDAP user passwords/groups directly via the Check Point SmartDashboard (which also requires an extension of the LDAP user schema).  This feature's checkbox is called "User Management" on the LDAP Account Unit object.  (see screenshot below)

2) You want the ability to retrieve CRLs via LDAP instead of the more-typical HTTP or OCSP (not common).  This feature's checkbox is labelled "CRL retrieval" on the LDAP Account Unit object.

3) You need to do an integration to an LDAP server that is not based on Microsoft Active Directory (i.e. Novell eDirectory, Netscape, Lotus Domino, etc).  I've never done an LDAP integration to a server that was not AD in over twenty years of Check Point experience, so that should give you an idea of how common it is.

The "Use UserDirectory for Security Gateways (license required)" checkbox on the Global Properties screen for UserDirectory/SmartDirectory does NOT need to be set for IA to operate, which runs counter to some of Check Point's documentation and the CCSA R80.10 courseware.   When IA's AD Query feature is first set up the wizard automatically creates the needed Account Unit object through the underpinnings of UserDirectory which is where a lot of the confusion comes in.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

10 Replies
Marco_Valenti
Advisor

Identity awareness just get identity from a source of authentication that can be used for things like access role and rule based on identity and can't be used for things like changing ad user password from blade like mobile access or endpoint client that require  user directory license.

At least this is what I understand Smiley Happy

0 Kudos
Timothy_Hall
Legend Legend
Legend

I get this question all the time in CCSA classes.  The TL;DR version of the answer is that as long as you have a firewall running at least R75 and a (free) CPSB-IA license, there is no need to enable UserDirectory or obtain a license for it UNLESS:

1) You want the ability to manage LDAP users in a read/write situation; in the real world this generally happens over the still-quivering dead body of your LDAP server administrator (i.e. practically never!).  This will allow Remote Access VPN users to potentially change an expired password via the Check Point Remote Access VPN software as Marco Valenti‌ observed, and also allow changes to LDAP user passwords/groups directly via the Check Point SmartDashboard (which also requires an extension of the LDAP user schema).  This feature's checkbox is called "User Management" on the LDAP Account Unit object.  (see screenshot below)

2) You want the ability to retrieve CRLs via LDAP instead of the more-typical HTTP or OCSP (not common).  This feature's checkbox is labelled "CRL retrieval" on the LDAP Account Unit object.

3) You need to do an integration to an LDAP server that is not based on Microsoft Active Directory (i.e. Novell eDirectory, Netscape, Lotus Domino, etc).  I've never done an LDAP integration to a server that was not AD in over twenty years of Check Point experience, so that should give you an idea of how common it is.

The "Use UserDirectory for Security Gateways (license required)" checkbox on the Global Properties screen for UserDirectory/SmartDirectory does NOT need to be set for IA to operate, which runs counter to some of Check Point's documentation and the CCSA R80.10 courseware.   When IA's AD Query feature is first set up the wizard automatically creates the needed Account Unit object through the underpinnings of UserDirectory which is where a lot of the confusion comes in.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Willem_Goethals
Participant

Hi there,

Apparently you also need to have a license and active User Directory if you want to use AD groups and users in the Include/Exclude settings of Threat Extraction. It's a bit surprising that such a basic feature requires this license while AD Query should be sufficient.

Getting Started with the Threat Extraction Blade 

n the Exclude/Include Users page, configure these settings:

  • Scan all mail

    Click Exceptions to not include specified users, groups, recipients or senders.

  • Scan mail only for specific users or groups

    Click Configure to select specified User Groups, Recipients or Senders.

    Note:

    A user is an object that can contain an email address with other details.

    A group is an AD group or LDAP group of users

    A recipient is an email address only.

Important: In Global Properties > User Directory, make sure that you have selected the Use User Directory for Security Gateways option.

efraim
Explorer
Thank you Timothy.

Only if I enable user management, I am able to see the select the domain when I enable Identity awareness. Do you know why? I got confused a bit.
0 Kudos
Timothy_Hall
Legend Legend
Legend

Yes the "User Management" checkbox on the AU object itself must be set for IA to work, although this checkbox was mentioned in my post in the context of User Directory.  What does not necessarily need to be set (subject to the conditions mentioned above) is the "Use UserDirectory for Security Gateways (license required)" checkbox in the Global Properties.  

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
efraim
Explorer

Thank you 🙂

0 Kudos
armandxhafa
Explorer

Hello,

 

I have a question regarding User Directory and Identity Management. Can I use only User Active Directory on Management Server, without Identity Management on Gateways ?

I want to integrate a Checkpoint Infrastructure with 1 Mgmt and 2 GWs with AD, then to create some policies for remote VPN by using Groups of AD. 

I know that using IA, you cannot retrieve info from AD Groups, you need UD to do this or Am I wrong ?

 

Thanks

0 Kudos
PhoneBoy
Admin
Admin

You can create Access Roles for Remote Access with more granularity using Identity Awareness, which can be restricted to Remote Access.
This would be the preferred approach versus using legacy groups/objects.

0 Kudos
yunier88
Participant

Hello,

I am currently working on configuring Machine certificate. But I have a question. How can I integrate my FW with my Microsoft AD in order to find the users and computers that belong to said AD? I need to do this to be able to create the Access roles

thanks

0 Kudos
FriedBacon
Explorer

Finally! The answer I have been looking for;

>I have always been confused and conflicted with CP's documentation. CP's LDAP Best practice guide (under SK31841) recommends that it should be enabled, but as per our testing it just works even if disabled (and has been working for all of our clients deployed with CP's Firewall)

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events