Scribd
Upload
57 views21 pages

Check Point Security Administration Guide

This document provides instructions for configuring Check Point security policies and features including: 1. Configuring an access role that allows the Marketing department access to restricted websites from the internal network and enables identity awareness captive portal. 2. Modifying the Outgoing rule to include the WiFi network and configure NAT for it. 3. Testing the identity awareness connection from the internal and WiFi networks and verifying user identification in logs.

Uploaded by

fco159
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
57 views21 pages

Check Point Security Administration Guide

This document provides instructions for configuring Check Point security policies and features including: 1. Configuring an access role that allows the Marketing department access to restricted websites from the internal network and enables identity awareness captive portal. 2. Modifying the Outgoing rule to include the WiFi network and configure NAT for it. 3. Testing the identity awareness connection from the internal and WiFi networks and verifying user identification in logs.

Uploaded by

fco159
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Check Point Security Administration

6. Click the Connect button, and the system connects to the LDAP server:

Figure 481 — Integration with Active Directory

_____________________
_____________________ 600
Check Point Security Administration

7. Click Next, and the system displays the following:

Figure 482 — Captive Portal Settings

NOTE
The system selects the external interface of the gateway by default.

8. Click the Edit button, and the system displays the Accessibility window.
9. Select the following options:
• Including undefined internal interfaces
• Including DMZ internal interfaces
• Including VPN encrypted interfaces
10. Click OK.

_____________________
_____________________ 601
Check Point Security Administration

11. Click Next, and the system displays the following:

Figure 483 — Identity Awareness Configuration

12. Click Finish.


13. Click OK.
14. In the Application menu, select Global Properties.
15. In the Navigation pane, select User Directory.

_____________________
_____________________ 602
Check Point Security Administration

16. Select the following option:

Use User Directory for Security Gateways (license required)

Figure 484 — Global Properties - User Directory

17. Click OK.


18. Publish the changes.
19. Install the Security Policy.

_____________________
_____________________ 603
Check Point Security Administration

Defining the User Access Role


Create an access role that allows users in the Marketing department access to restricted sites on the
Internet, if they are accessing these sites from the internal network.

1. Navigate to the AppCtrl policy layer in the Alpha_Standard policy.


2. Add a new rule to the top of the Rule Base and configure it as follows:

Name: Marketing Access


Source: Any
Destination: Any
VPN: Any
Services & Applications: Skype
YouTube
Facebook
Twitter
Snapchat
Action: Accept
Track: Log
Install On: A-GW-Cluster

3. Publish all changes to the Security Policy.


4. Close SmartConsole.
5. Restart SmartConsole and log in as the admin user.
6. In the Source field of the Marketing Access rule, click the + icon.
7. Click the New icon.

_____________________
_____________________ 604
Check Point Security Administration

8. Select Access Role, and the system displays the following:

Figure 485 — New Access Role - Networks

9. Use the following information to configure the window:


Name: Marketing
Comment: Marketing Group Access Role
Specific Networks: A-INT-NET

10. In the Navigation pane, select Users.


11. Select the option Specific Users/Groups.
12. Click the plus icon.
13. Click the Show Users Group icon.

NOTE
This step may be skipped, depending on your LDAP configuration.

_____________________
_____________________ 605
Check Point Security Administration

14. Search for and add the Odd group:

Figure 486 — New Access Role - Users

NOTE
You must select a user group.

15. Click OK, to create the new access role and add it to the new rule.
16. Publish the changes.

_____________________
_____________________ 606
Check Point Security Administration

17. Next, right-click the Accept icon in the Action field of the Marketing Access rule:

Figure 487 — Security Policies - Access Control - AppCtrl

18. Select More, and the system displays the Action Settings window.
19. Select the following option:

Enable Identity Captive Portal

Figure 488 — Action Settings

_____________________
_____________________ 607
Check Point Security Administration

20. Click OK, and the system modifies the Action field of the Marketing Access rule:

Figure 489 — Marketing Access Rule Configured

21. Navigate to the Network policy layer.

_____________________
_____________________ 608
Check Point Security Administration

22. Re-configure the Outgoing rule as follows:

Name: Outgoing
Source: Alpha-Nets
Destination: Any
VPN: Any
Services & Applications: http
https
ftp
Action: URL_Filtering
Track: N/A

Figure 490 — Outgoing Rule

23. Double-click the Alpha-Nets object.

_____________________
_____________________ 609
Check Point Security Administration

24. Add A-WIFI-NET to the Alpha-Nets group:

Figure 491 — Network Group

25. Click OK.


26. Search for and double-click the A-WIFI-NET object.
27. In the Navigation pane, select NAT.

_____________________
_____________________ 610
Check Point Security Administration

28. Configure the window as follows:

Add automatic address translation rules: Selected


Translation method: Hide
Hide behind the gateway: Selected
Install on gateway: All
Tag: WiFi

Figure 492 — Network - NAT Configured

29. Click OK.


30. Disable HTTPS inspection, if it is still enabled.
31. Publish the database changes.
32. Install the Alpha_Standard policy.

_____________________
_____________________ 611
Check Point Security Administration

Testing Identity Awareness Connection


Test the Identity Awareness connection from the internal and WiFi networks.

1. Log into A-Host using the following credentials:

Username: ALPHA\User1
Password: Chkp!234

NOTE
Check with your instructor if you are unable to authenticate. The LDAP server in
your classroom may have differently configured users.

2. Open an Internet browser.


3. Attempt to access the Internet. You should be successful.

NOTE
When accessing Internet sites from A-Host, ensure that you are not attempting to
visit sites specified in the Marketing Access rule to avoid being prompted for
authentication by Captive Portal.

4. From SmartConsole, navigate to the Logs & Monitor tab.

_____________________
_____________________ 612
Check Point Security Administration

5. View an Accept log for the HTTP or HTTPS traffic originating from A-Host:

Figure 493 — Log Details

6. Identify the name of the user in the log.


7. Close the log.

_____________________
_____________________ 613
Check Point Security Administration

Controlling Tablet Access Through Captive Portal


(Optional)
Verify that tablets and other BYOD users have their Internet access managed by Captive Portal.

1. Navigate to the AppCtrl policy layer in the Alpha_Standard policy.


2. Add a new rule to the top of the Rule Base and configure it as follows:

Name: Guest Access


Source: Any
Destination: Any
VPN: Any
Services & Applications: News / Media
Action: Accept
Track: Log

3. In the Source field, click the + icon to launch the Object picker.

_____________________
_____________________ 614
Check Point Security Administration

4. In the Object picker, click the new button:

Figure 494 — Object Picker - New Menu

5. Select Access Role.


6. Name the new access role Guests.
7. Add A-WIFI-NET as a specific network.
8. In the navigation pane, select Users.

_____________________
_____________________ 615
Check Point Security Administration

9. In the Users page, select the following option:

All identified users

Figure 495 — New Access Role - Users - Configured

10. Click OK, to add the new access role to the Source field of the Guest Access Rule.
11. Right-click the action column:

Figure 496 — Action Menu

_____________________
_____________________ 616
Check Point Security Administration

12. In the Action menu, select More.


13. In the Action Settings window, select the following option:

Enable Identity Captive Portal

Figure 497 — Action Settings Configured

14. Click OK.


15. Confirm that the Guest Access Rule is configured as follows:

Figure 498 — Guest Access Rule Configured

16. Publish the changes.


17. Install the Security Policy.

_____________________
_____________________ 617
Check Point Security Administration

18. Power on the A-Guest virtual machine:

Figure 499 — Windows Tablet

19. Open Internet Explorer.

_____________________
_____________________ 618
Check Point Security Administration

20. Attempt to navigate to www.cnn.com, and the browser displays the Certificate Warning page:

Figure 500 — Security Certificate Warning Page

21. Click the following option, and the user is prompted with Captive Portal:

Continue to this webpage (not recommended)

_____________________
_____________________ 619
Check Point Security Administration

22. Log into Captive Portal with the following credentials:

Username: Guest
Password: Chkp!234

Figure 501 — Captive Portal

_____________________
_____________________ 620

You might also like