Enforcement using Check Point Next-Generation Firewall

Overview

Deployment of PPS using Check Point Next-Generation Firewall

Deployment of PPS with Check Point Next-Generation Firewall for a Large Enterprise

Configuring PPS with Check Point Next-Generation Firewall

Configuring Check Point Next-Generation Firewall

Troubleshooting

Unsupported Features

Overview

PPS delivers layer 3 network access control solution when deployed with Check Point Next-Generation Firewall (NGFW). PPS authenticates users, ensures that the endpoints meet security policies, and then dynamically updates the firewall enforcement point with the resulting user session information. Upon successful user authentication with PPS, the access to protected resources behind the firewall is based on the user identity, IP address, and user role information provided by PPS.

The PPS and Check Point firewall integration provides identity enabled layer 3 enforcement for BYOD, guests, and enterprise employees and protects corporate sensitive data from unauthenticated access and attacks.

Deployment of PPS using Check Point Next-Generation Firewall

This section describes the integration of PPS with Check Point Next-Generation Firewall. The Check Point Next-Generation Firewall controls the access to resources (for example, internet, CRM systems, Wikis and so on.) based on policy settings that defines the access. The Check Point Next-Generation Firewall allows integration with directory sources (For example, AD or LDAP) to get user and group information. The policies are then defined based on user role information.

PPS serves as the provider of identity information (For example, user-ID, IP address, and roles) for Check Point Next-Generation Firewall. The Check Point Next-Generation Firewall uses the identity information provided by the PPS for deciding the resource access.

Figure 128Integrating Check Point with PPS

 Integrating_Check_Point_with_PPS.png

The authentication process is described below:

1.The endpoints connect to Switch/WLAN and performs the layer 2 authentication with PPS.

2.PPS performs the layer 3 authentication and performs compliance check on the endpoint and detects for any unauthorized behavior. PPS can also learn endpoint IP address using accounting and provision mapping.

3.PPS provisions the auth table entries (user-ID, IP address, and roles) on the Check Point Next-Generation Firewall.

4.The user role changes, which includes any unauthorized behavior are dynamically updated on the firewall. PPS provisions the auth table with changes in role information if any on Check Point Next-Generation Firewall. The access is based on roles.

5.The Check Point Next-Generation Firewall applies policies to allow or block user access to protected resources.

Deployment of PPS with Check Point Next-Generation Firewall for a Large Enterprise

For an enterprise with remote branch offices connected to the headquarters with VPN, deploy the Security Gateway at the remote branch offices. When you enable Identity Awareness on the branch office Security Gateway, users are authenticated before they reach internal resources. The identity data on the branch office Security Gateway is shared with other Security Gateways to avoid unnecessary authentication.

For more information see, Identity Awareness feature of Check Point.

Figure 129Check Point with PPS

 Check_Point_with_PPS.png

Configuring PPS with Check Point Next-Generation Firewall

This section covers the configuration of PPS for adding Check Point Next-Generation Firewall as an Infranet Enforcer.

The following are the configuration steps:

Configuring Check Point Infranet Enforcer in PPS

Configuring Auth Table Mapping Policies

Configuring Check Point Infranet Enforcer in PPS

The PPS configuration requires defining a new Check Point Infranet Enforcer instance on PPS and then fetching the pre-configured shared secret key from the firewall. The shared secret key is used to communicate between the Check Point firewall and PPS. The standard user authentication / authorization configurations such as Auth Table Mapping Policies should also be created and associated with the required roles.

To configure a Check Point Firewall Infranet Enforcer in PPS:

1.Select Endpoint Policy > Infranet Enforcer.

Figure 130Infranet Enforcer

Infranet_Enforcer.png 

2.Click New Infranet Enforcer and select Check Point Firewall in the Platform drop down.

3.Enter the Name and IP Address of the Check Point Next-Generation Firewall and enter the shared secret between PPS and Check Point.

PPS has the default server URL for Check Point R80.10.

Figure 131Check Point Firewall

Check_Point_Firewall.png 

For previous version of Check Point (R77.30), edit the server URL manually to https://<IP_Address>/_IA_MU_Agent/idasdk

Figure 132Check Point Firewall

Check_Point_Firewall_1.png 

4.(Optional) Select Server Certificate Validation to verify the firewall certificate.

5.Click Save Changes.

Configuring Auth Table Mapping Policies

An auth table entry consists of the user's name, a set of roles, and the IP address of the user device. An auth table mapping policy specifies which enforcer device (Firewall) can be used for each user role. These policies prevent the PPS from creating unnecessary auth table entries on all connected enforcer devices.

PPS's default configuration includes only one default auth table mapping policy. When the default auth table mapping policy is enabled, PPS pushes one auth table entry for each authenticated user to the selected Check Point Next-Generation Firewall configured as Infranet Enforcers in PPS.

To configure an Auth Table Mapping Policy:

1.Select Endpoint Policy > Infranet Enforcer > Auth Table Mapping and click New Policy.

Figure 133Check Point Firewall Configuration

Check_Point_Firewall_Configuration.png 

2.On the New Policy page:

1.For Name, enter a name to label the auth table mapping policy.

2.(Optional) For Description, enter a description.

3.In the Enforcer section, specify the Infranet Enforcer firewall(s) to which you want to apply the auth table mapping policy.

4.In the Roles section, specify:

Policy applies to ALL roles-Select this option to apply the auth table mapping policy to all users.

Policy applies to SELECTED roles-Select this option to apply the auth table mapping policy only to users who are mapped to roles in the SELECTED roles list. You can add roles to this list from the available roles list.

Policy applies to all roles OTHER THAN those selected below-Select this option to apply the auth table mapping policy to all users except for those who map to the roles in the SELECTED roles list. You can add roles to this list from the available roles list.

5.In the Action section, specify auth table mapping rules for the specified Infranet Enforcer.

Always Provision Auth Table-Select this option to automatically provision auth table entries for chosen roles on the specified Infranet Enforcer.

Provision Auth Table as Needed-Select this option to provision auth table entries only when a user with a chosen role attempts to access a resource behind the specified Infranet Enforcer. This option is greyed out for Check Point Firewall Enforcers since it is not supported.

Never Provision Auth Table-Select this option to prevent chosen roles from accessing resources behind the specified Infranet Enforcer.

3.You must delete the Default Policy if you configure any custom auth table mapping policies. PPS's default configuration includes this default auth table mapping policy that allows all source IP endpoints to use all Infranet Enforcers.

4.Click Save Changes. 

Figure 134Configuring Auth Table Mapping Policies

Configuring_Auth_Table_Mapping_Policies.png 

Configuring Check Point Next-Generation Firewall

Check Point firewall detects traffic from an endpoint that matches a configured security policy using the access roles. It determines the role(s) associated with that user, and allows or denies the traffic based on the actions configured in the security policy.

The network interfaces are configured on the Check Point Next-Generation firewall and the remaining configurations are done on the Check Point Smart Console.

Figure 135Configuring Check Point Next-Generation Firewall

Configuring_Check_Point_Next-Generation_Firewall.png 

Configuring Identity Awareness in SmartConsole

The Identity Awareness lets you easily configure network access and auditing based on network location, identity of user, and identity of the device. When Identity Awareness identifies a source or destination, it shows the IP address of the user or computer with a name. For example, this lets you create firewall rules with any of these properties. You can define a firewall rule for specific users when they send traffic from specific computers or a firewall rule for a specific user regardless of which computer they send traffic from.

To enable Identity awareness:

1.Login to the Check Point SmartConsole.

2.From the Security & Gateways view, double-click the Security Gateway on which to enable identity awareness.

Figure 136SmartConsole

SmartConsole.png 

3.Create an object for PPS. Select Objects > New Host and enter the PPS IP address. Under Servers, enable Web Server and click OK.

Figure 137Host

Host.png 

4.Select Gateways & Servers > Identity Awareness and enable the following options:

Terminal Servers- Note down the pre-shared secret key.

Identity Web API- Click Settings and add the PPS device as Authorised Clients.

Figure 138Identity Awareness

Identity_Awareness.png 

5.Click Install Policy.

6.From the Object Explorer create an object for Identity matching by creating user roles. Select Objects > Object Explorer and Click New > Users > Access Role

The role names must match with the Role names created on PPS.

Figure 139Creating Access Roles

Creating_Access_Roles.png 

7.From the SmartConsole, create a security policy by keeping the Access Role in Source column. Select Security Policies > Access Control > Policy and then configure the required policies. For example, Full_Access policy allows traffic from Client with Full_Access role, Limited_Access role policy denies traffic from Client with Limited_Acces role, and default_allow policy which allows all traffic. The Full_Access role is on the top of the list since it should be considered first.

Figure 140Security Policy based on Access Roles

Security_Policy_based_on_Access_Roles.png 

8.Click Install Policy.

Troubleshooting

You can use the following CLI commands (Expert Mode) on the Check Point firewall for troubleshooting:

pdp monitor all - Displays the table of user identities mapped to IP addresses.

Unsupported Features

The following features are not supported:

IP Address Pools

IPsec Enforcement

IDP Sensors

Virtual Systems (VSYS)

Enforcement for endpoints behind Network Address Translation (NAT)

Resource access policies. The administrator should configure all firewall policies on the firewall through smartboard