This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
abihsot__
Advisor
‎2019-08-06 01:14 AM

how to configure Captive portal?

Hi All,

I have strange behavior with Captive portal, maybe you will have some ideas.

So I have access role consisting of my username and source network being my computer.

I have a rule x with allows http/https with accept(display captive). As a source I have access role mentioned above.

Rule x+1 is to block http/https.

 

When computer is not associated with username I don't always get captive portal. For example cnn.com displays captive, while www.checkpoint.com don't. In the logs I can see that cnn gets redirected to captive, while access to checkpoint.com (23.214.187.176) is blocked by rule x+1.

 

The ultimate goal is to authenticate linux users and drop not known traffic from computers. 

 

 

0 Kudos
5 Replies
abihsot__
Advisor
‎2019-08-06 08:32 AM

Also, one more issue. I already authenticated and my username is associated with the IP, but when I enter manually captive portal URL into browser I get the following event in the logs:

A secondary session request was received from the same IP. This caused logout of the current session

Immediately username is no longer associated with the IP and I haven't even entered username/password in the portal. How can I stop this behavior if possible?

 

0 Kudos
PhoneBoy
Admin
Admin
‎2019-08-06 06:47 PM

If the site requires HTTPS then unless you have HTTPS Inspection enabled, there's no way to inject a redirect to Captive Portal.
As for the other issue you raise, why would a user manually type in the Captive Portal address into their browser?
0 Kudos
abihsot__
Advisor
‎2019-08-06 11:12 PM
In response to PhoneBoy

Sorry, forgot to mention. This was my idea as well. I do have https inspection enabled.

 

If captive portal cannot be injected, I would probably give users the URL to go manually. While sending the URL, along the way I suppose other users might click on the link out of curiosity which will result in lost access... If I fix the first issue this one becomes obsolete. 

0 Kudos
Norbert_Bohusch
Advisor
‎2019-08-07 12:44 AM
In response to abihsot__

Regarding the second issue (manual opening of captive portal).
Yes, the captive portal overrides other identity sources and as long the user is not logging in on captive portal it overrides with "no user". So the user either has to log on to captive portal then or close page and wait for another logon event of his client to authenticate again.
0 Kudos
abihsot__
Advisor
‎2019-08-08 03:49 AM
In response to Norbert_Bohusch

I am interested why clear username upon visiting Captive portal, and not wait until user enters credentials... Anyway, this won't matter if I fix first problem.

 

curl http://bbc.com -v
* Rebuilt URL to: http://bbc.com/
* Trying 151.101.192.81...
* TCP_NODELAY set
* Connected to bbc.com (151.101.192.81) port 80 (#0)
> GET / HTTP/1.1
> Host: bbc.com
> User-Agent: curl/7.53.1
> Accept: */*
>
* HTTP 1.0, assume close after body
< HTTP/1.0 307 Temporary Redirect
< Date: Thu, 08 Aug 2019 10:30:35 GMT
< Server: Check Point SVN foundation
< Content-Type: text/html
< X-UA-Compatible: IE=EmulateIE7
< Connection: close
< X-Frame-Options: SAMEORIGIN1
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< Location: https://captiveportal
< Content-Length: 2340

 

However when I try with https:

 

curl https://bbc.com -v
* Rebuilt URL to: https://bbc.com/
* Trying 151.101.128.81...
* TCP_NODELAY set
* Trying 2a04:4e42::81...
* TCP_NODELAY set
* Immediate connect fail for 2a04:4e42::81: Network is unreachable
* Trying 2a04:4e42:400::81...

 

Indeed it seems the problem is that https inspection is not kicking in. Is there something wrong with my configuration? https traffic is dropped by the cleanup rule which is bellow 1077.

 
captive.PNG
Preview file
10 KB
captive_inspect.PNG
Preview file
6 KB
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top