David Herselman

Identity Awareness not matching users behind proxy

Discussion created by David Herselman on Sep 12, 2018
Latest reply on Sep 21, 2018 by Dameon Welch Abernathy

We configured security policy layers to detect users behind proxies:

 

Some systems use an explicit caching Squid proxy which is configured to send requests to the Check Point security gateway's proxy interface:

acl local-servers dst 10.0.0.0/8 100.64.0.0/10 172.16.0.0/12 192.168.0.0/16

always_direct allow local-servers
always_direct deny all
never_direct deny local-servers
never_direct allow all
cache_peer 100.127.254.1 parent 3128 0 no-query no-digest

 

Check Point security gateway is configured accordingly:

 

 

Users can only browse when we allow unauthenticated access from the Squid proxy's IP address. We temporarily changed the workstation to explicitly use the Check Point security gateway's proxy interface, navigated to https://fwcp1.lair.co.za/connect,  authenticated and thereafter changed the proxy settings back to using Squid. Reviewing log entries shows the security gateway correctly identifying the IP of the workstation behind the Squid proxy but the IP is not associated with the authenticated user for that IP:

Outcomes