156-315.81.20 Advanced User Access Management

Advanced User Access Management Detailed Explanation

This breakdown provides a detailed understanding of Advanced User Access Management in Check Point, including Identity Awareness, authentication techniques, dynamic user groups, and advanced use cases.

Key Objective 1: Identity Awareness (IA)

What is Identity Awareness (IA)?

Identity Awareness allows the Security Gateway to enforce policies based on the user’s identity instead of just their IP address. This feature is particularly useful in environments where users share devices, work in dynamic IP environments, or require granular access control.

Benefits of IA:

1. User-based policies improve precision and flexibility.
2. Integration with directory services simplifies access management.
3. Enhances auditing and reporting with user-specific logs.

How to Configure IA to Enforce User-Based Policies

1. Enable IA on the Gateway:

   • Open SmartConsole.
   • Select the Security Gateway, then navigate to Identity Awareness in the properties.
   • Enable the feature and choose the preferred identity sources.

2. Select Identity Sources:

   • Available identity sources include:
     • Active Directory Query: Automatically queries AD for user logins.
     • Identity Agent: Requires users to log in using a Check Point agent.
     • Captive Portal: Users authenticate through a browser-based portal.
     • RADIUS Accounting: Retrieves user details from a RADIUS server.
   • Configure at least one identity source.

3. Define User-Based Rules:

   • In the Access Control policy, create rules specifying user or group-based conditions.
   • Example:
     • Allow users in the “HR” group to access payroll servers.
     • Deny access to social media for users in the “Interns” group.

4. Test the Configuration:

   • Log in as a test user.
   • Verify that access policies are correctly applied based on user identity.

Integrating IA with Directory Services

To enable Identity Awareness, integrate it with directory services such as Active Directory (AD), LDAP, or RADIUS.

1. Active Directory Integration:

   • Step 1: Add the AD server in SmartConsole.
   • Step 2: Configure the gateway to query AD for user login events.
   • Step 3: Map AD groups to Check Point user groups for policy assignment.

2. LDAP Integration:

   • Use LDAP to authenticate users and retrieve group memberships.
   • Ensure that LDAP queries are encrypted (use LDAPS).

3. RADIUS Integration:

   • Configure a RADIUS server to handle user authentication.
   • Commonly used for environments with VPN or remote access.

Key Objective 2: Authentication Techniques

What is Multi-Factor Authentication (MFA)?

MFA requires users to authenticate using two or more factors, such as:

1. Something they know: Password or PIN.
2. Something they have: Security token, smartphone app (e.g., TOTP).
3. Something they are: Biometric verification.

Steps to Integrate MFA:

1. Configure the gateway to use an external RADIUS server or SAML for authentication.
2. Link the RADIUS server to an MFA provider, such as Duo Security, Microsoft Authenticator, or Google Authenticator.
3. Define MFA requirements in the authentication policy.

What is Single Sign-On (SSO)?

SSO allows users to authenticate once and gain access to multiple resources without logging in again. This is achieved through protocols such as Kerberos or SAML.

How to Configure SSO:

1. Enable SSO in the Identity Awareness settings.
2. Integrate with Active Directory to use Kerberos for Windows authentication.
3. For web-based SSO, configure the gateway as a SAML Service Provider (SP).

What is a Captive Portal?

A Captive Portal is a web-based authentication page that users are redirected to when trying to access a network.

Steps to Configure Captive Portal:

1. Enable the Captive Portal option in the Identity Awareness settings.
2. Customize the portal with your organization’s branding.
3. Define which users or devices will be prompted to authenticate via the portal.

Key Objective 3: Dynamic User Groups

What are Dynamic User Groups?

Dynamic User Groups (DUGs) automatically update their membership based on directory attributes, such as organizational unit (OU), department, or user role.

Benefits of DUGs:

1. Automatic updates reduce administrative overhead.
2. Policies stay accurate as users change roles or departments.

Steps to Configure DUGs:

1. Create a DUG in SmartConsole:
   • Specify the directory attributes or group membership criteria.
   • Example: All users in the “Engineering” OU are automatically added to the “Engineering” group.
2. Use DUGs in Policies:
   • Reference the dynamic group in access control or NAT policies.
   • Example: Grant VPN access to users in the “RemoteWorkers” DUG.

Defining Granular Policies for User Roles

1. Role-Based Policies:
   • Define rules specific to user roles, such as “Finance,” “HR,” or “IT Support.”
   • Example:
     • IT Support can access all subnets.
     • Finance users can access only accounting servers.
2. Department-Level Policies:
   • Use DUGs to assign department-wide policies.
   • Example:
     • The “Marketing” group is allowed to access social media, while the “Operations” group is not.

Advanced Considerations

Managing Guest User Access with Time-Based Policies

1. Define Guest Access Rules:
   • Create a dedicated rule for guest users.
   • Use Captive Portal for authentication.
2. Set Time-Based Restrictions:
   • Configure time-based policies in SmartConsole.
   • Example: Guests can access the internet from 9 AM to 5 PM but are blocked after hours.

Enabling Seamless Identity-Based Access Across Hybrid Environments

1. Integrate Identity Awareness with both on-premises and cloud environments.
2. Use SAML-based federation for seamless access across platforms like Azure AD or Google Workspace.
3. Configure policies that account for both local and remote identities.

Example Use Case

Scenario: Enforcing User-Based Policies in a Hybrid Environment

• Challenge: An organization wants to allow HR employees to access payroll systems both on-premises and via a cloud-based app.
• Solution:
  • Configure Identity Awareness to retrieve user identities from Active Directory.
  • Use MFA to secure access to the cloud-based app.
  • Define an access control policy that applies to the “HR” group, allowing access to payroll systems only.

Advanced User Access Management (Additional Content)

Key Objective 1: Identity Awareness (IA)

Essential CLI Commands for Identity Awareness Troubleshooting

Identity Awareness relies heavily on real-time identity acquisition and enforcement. The following commands are essential for troubleshooting:

• pdp monitor

  • Run on the PDP (Policy Decision Point) gateway.
  • Displays a live list of authenticated users and their roles.

• pep show user all

  • Run on the PEP (Policy Enforcement Point) gateway.
  • Shows user identities known to the local gateway and their session status.

• adlog a dc query

  • Tests LDAP/AD connectivity and domain controller response from the gateway.

These commands are critical when diagnosing login issues, missing identities, or synchronization delays.

Connectivity and Time Synchronization Requirements

Successful Identity Awareness requires:

• Reliable communication between the Security Gateway and the identity source (e.g., Active Directory, RADIUS).

• Clock synchronization between gateways and identity sources. A time drift >5 minutes may cause:

  • Kerberos ticket rejection.
  • SAML assertion failures.
  • Logging anomalies.

Recommendation: Use NTP on all components to ensure consistent timestamps.

What Is Identity Sharing?

Identity Sharing allows multiple gateways to share user identity information to avoid redundant authentication or repeated queries to AD.

• Enabled via SmartConsole under Identity Awareness > Sharing Settings.
• One gateway (PDP) can publish user identity data to other gateways (PEPs).
• Reduces load on identity sources and improves authentication efficiency in distributed environments.

Key Objective 2: Authentication Techniques

SAML – Web-Only Authentication Scope

SAML (Security Assertion Markup Language) is only supported for web-based authentication flows, such as:

• Captive Portal
• Mobile Access Web Portal
• SmartConsole login (as of R81.20+ with cloud identity integration)

Limitations:

• Not supported for:
  • VPN client authentication (e.g., Endpoint Security VPN)
  • CLI/SSH authentication

Exam Tip: SAML cannot be used for remote access VPN unless a web portal is involved.

Common SAML/SSO Failure Scenario and Fallback Behavior

Typical Scenario:

• A user tries to authenticate via SAML, but the IdP is unreachable or SSO fails.

Default Behavior:

• Check Point falls back to basic authentication (username/password) if configured.
• If no fallback is defined, the authentication fails entirely.

Recommendation:

• Always define a secondary authentication method (e.g., RADIUS or LDAP) for redundancy.

Supported SAML Identity Providers

Check Point supports a wide range of SAML 2.0-compliant Identity Providers (IdPs), including:

Identity Provider	Support Status
Azure Active Directory	Supported
Okta	Supported
Google Workspace	Supported
Ping Identity	Supported
ADFS (Microsoft)	Supported

Configuration typically involves:

• Importing the IdP’s metadata XML.
• Matching entity IDs and redirect URLs.
• Assigning SAML profiles to access roles in SmartConsole.

Key Objective 3: Dynamic User Groups (DUGs)

DUG Dependency on Directory Synchronization

Dynamic User Groups rely on real-time communication with the identity source (e.g., AD or LDAP). If the connection to the directory fails:

• DUG membership updates are delayed.
• Users may be granted incorrect access based on stale data.

Monitoring Tool:

• Use pdp monitor to verify DUG membership assignments.

DUGs vs Static User Groups – Key Differences

Feature	Dynamic User Group (DUG)	Static User Group
Membership Update Frequency	Real-time, dynamic	Manual, admin-assigned
Backend Source	AD/LDAP attribute filters	SmartConsole-defined
Caching	Limited cache, short-lived	Persistent
Use Case	Role-based access (e.g., HR, Dev)	Small, static environments

Tip: DUGs are ideal for large or cloud-integrated environments where users often change roles.

Advanced Use Cases and Hybrid Deployments

Identity Broker Requirement for Cloud IdP Integration

When using cloud-based identity sources (e.g., Azure AD via SAML), Check Point requires the use of Identity Broker on the Security Gateway or CloudGuard Controller.

• Identity Broker acts as a mediator between the gateway and the cloud IdP.
• It processes identity tokens and converts them into PDP/PEP sessions.

Enable via: SmartConsole > Identity Awareness > Identity Sources > Identity Broker.

Cloud Identity Sync Frequency and Failure Mechanism

• Sync Frequency:

  • SAML-based assertions are usually valid for 60 minutes, depending on the IdP's TTL.
  • Check Point updates identities upon each successful login.

• Failure Behavior:

  • If the cloud IdP becomes unreachable:
    • New users cannot authenticate.
    • Existing sessions remain valid until expiration.
    • Logs show “Identity Fetch Timeout” or “Federation Failed”.

Recommendation:
Enable session redundancy, and configure grace periods for identity expiration under SmartConsole settings.

Summary Table of Key Additions

Topic Area	Supplemented Insight
IA CLI Commands	pdp monitor, pep show user all, adlog a dc query
Connectivity Dependence	Gateway <-> Identity Source requires network + NTP sync
Identity Sharing	Enables PDP-PEP sharing of user identities
SAML Authentication Scope	Web-only; not usable for VPN/CLI
SAML Failure Fallback	Defaults to basic auth or fails if no backup method defined
Supported SAML IdPs	Azure AD, Okta, Google Workspace, Ping Identity
DUG Behavior	Real-time sync vs. static group membership
Identity Broker	Required for Azure AD/SAML in hybrid/cloud environments
Cloud Sync Limitations	Affected by TTLs, IdP availability, session expiration handling