Are you a member of CheckMates?
×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Hi, community!
One of our customers is asking for clarification regarding these two blades and honestly we’re kinda having a hard time giving it to them, since the information in course material and admins guides isn't clear enough for them.
I know - and please correct me if I'm wrong or not entirely right - UD is a management blade that will allow us to communicate with an LDAP server and manage users on that server directly from our Check Point infrastructure, as well as define authentication schemes for them; whereas IA will use the identities retrieved from, let's say, an AD, and maps them to their IPs and machine names so we can use that information in rules through access roles.
We've tried that "management vs enforcement" point of view, but they get confused because according to them, some parts of the material state you can have IA without UD, but then the guide says IA uses UD. So, and I quote them, "which one is it?" 
Thanks in advance for your comments!
EDIT: they're running R80/R80.10.
1 Solution
Accepted Solutions
I get this question all the time in CCSA classes. The TL;DR version of the answer is that as long as you have a firewall running at least R75 and a (free) CPSB-IA license, there is no need to enable UserDirectory or obtain a license for it UNLESS:
1) You want the ability to manage LDAP users in a read/write situation; in the real world this generally happens over the still-quivering dead body of your LDAP server administrator (i.e. practically never!). This will allow Remote Access VPN users to potentially change an expired password via the Check Point Remote Access VPN software as Marco Valenti observed, and also allow changes to LDAP user passwords/groups directly via the Check Point SmartDashboard (which also requires an extension of the LDAP user schema). This feature's checkbox is called "User Management" on the LDAP Account Unit object. (see screenshot below)
2) You want the ability to retrieve CRLs via LDAP instead of the more-typical HTTP or OCSP (not common). This feature's checkbox is labelled "CRL retrieval" on the LDAP Account Unit object.
3) You need to do an integration to an LDAP server that is not based on Microsoft Active Directory (i.e. Novell eDirectory, Netscape, Lotus Domino, etc). I've never done an LDAP integration to a server that was not AD in over twenty years of Check Point experience, so that should give you an idea of how common it is.
The "Use UserDirectory for Security Gateways (license required)" checkbox on the Global Properties screen for UserDirectory/SmartDirectory does NOT need to be set for IA to operate, which runs counter to some of Check Point's documentation and the CCSA R80.10 courseware. When IA's AD Query feature is first set up the wizard automatically creates the needed Account Unit object through the underpinnings of UserDirectory which is where a lot of the confusion comes in.
--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com
Identity awareness just get identity from a source of authentication that can be used for things like access role and rule based on identity and can't be used for things like changing ad user password from blade like mobile access or endpoint client that require user directory license.
At least this is what I understand 
I get this question all the time in CCSA classes. The TL;DR version of the answer is that as long as you have a firewall running at least R75 and a (free) CPSB-IA license, there is no need to enable UserDirectory or obtain a license for it UNLESS:
1) You want the ability to manage LDAP users in a read/write situation; in the real world this generally happens over the still-quivering dead body of your LDAP server administrator (i.e. practically never!). This will allow Remote Access VPN users to potentially change an expired password via the Check Point Remote Access VPN software as Marco Valenti observed, and also allow changes to LDAP user passwords/groups directly via the Check Point SmartDashboard (which also requires an extension of the LDAP user schema). This feature's checkbox is called "User Management" on the LDAP Account Unit object. (see screenshot below)
2) You want the ability to retrieve CRLs via LDAP instead of the more-typical HTTP or OCSP (not common). This feature's checkbox is labelled "CRL retrieval" on the LDAP Account Unit object.
3) You need to do an integration to an LDAP server that is not based on Microsoft Active Directory (i.e. Novell eDirectory, Netscape, Lotus Domino, etc). I've never done an LDAP integration to a server that was not AD in over twenty years of Check Point experience, so that should give you an idea of how common it is.
The "Use UserDirectory for Security Gateways (license required)" checkbox on the Global Properties screen for UserDirectory/SmartDirectory does NOT need to be set for IA to operate, which runs counter to some of Check Point's documentation and the CCSA R80.10 courseware. When IA's AD Query feature is first set up the wizard automatically creates the needed Account Unit object through the underpinnings of UserDirectory which is where a lot of the confusion comes in.
--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com
