Scribd Logo
Upload

Welcome to Scribd!

  • 59 views

    Check Point ClearPass Integration Steps

    Uploaded by

    Elvis
    The document provides instructions for configuring ClearPass to integrate with Check Point firewalls for identity-based access control. It involves: 1. Adding a generic HTTP Endpoint Context Server in ClearPass to represent the Check Point firewall. No credentials are needed. 2. Configuring ClearPass Context Server Actions for "Login" and "Logout" to use this endpoint to update the firewall when a user's session starts or ends. 3. Creating copies of the default ClearPass "Login - Guest User" and "Logout" actions and modifying them to send specific user and machine groups to the firewall without validating against identity stores, since guest users won't exist in directories.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd

    Check Point ClearPass Integration Steps

    Uploaded by

    Elvis
    59 views2 pages
    The document provides instructions for configuring ClearPass to integrate with Check Point firewalls for identity-based access control. It involves: 1. Adding a generic HTTP Endpoint Context Server in ClearPass to represent the Check Point firewall. No credentials are needed. 2. Configuring ClearPass Context Server Actions for "Login" and "Logout" to use this endpoint to update the firewall when a user's session starts or ends. 3. Creating copies of the default ClearPass "Login - Guest User" and "Logout" actions and modifying them to send specific user and machine groups to the firewall without validating against identity stores, since guest users won't exist in directories.

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document provides instructions for configuring ClearPass to integrate with Check Point firewalls for identity-based access control. It involves: 1. Adding a generic HTTP Endpoint Context Server in ClearPass to represent the Check Point firewall. No credentials are needed. 2. Configuring ClearPass Context Server Actions for "Login" and "Logout" to use this endpoint to update the firewall when a user's session starts or ends. 3. Creating copies of the default ClearPass "Login - Guest User" and "Logout" actions and modifying them to send specific user and machine groups to the firewall without validating against identity stores, since guest users won't exist in directories.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    59 views2 pages

    Check Point ClearPass Integration Steps

    Uploaded by

    Elvis
    The document provides instructions for configuring ClearPass to integrate with Check Point firewalls for identity-based access control. It involves: 1. Adding a generic HTTP Endpoint Context Server in ClearPass to represent the Check Point firewall. No credentials are needed. 2. Configuring ClearPass Context Server Actions for "Login" and "Logout" to use this endpoint to update the firewall when a user's session starts or ends. 3. Creating copies of the default ClearPass "Login - Guest User" and "Logout" actions and modifying them to send specific user and machine groups to the firewall without validating against identity stores, since guest users won't exist in directories.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    You are on page 1of 2

    Prerequisites:

    The Check Point Firewall should run one of the following versions and should have the Identity
    Awareness

    blade.

    • R80.XX

    • For other earlier R77 versions, contact Check Point support to get a required Hotfix for Check Point

    Identity Awareness Gateway

    ClearPass Configuration:

    1. Endpoint Context Server:

    First add a generic HTTP Endpoint Context Server. Go to Administration > External Servers >
    Endpoint

    Context Servers [Add].

    Add the appropriate Server Name (IP Address), this will be translated into the Server Base URL. No

    Username/Password credentials are required to communicate with the Check Point firewall.
    Authentication

    is performed via the PSK configured in a later step.

    2. Context Server Actions Login/Logout - Go to Administration > Dictionaries > Context Server
    Actions:

    Now that the Firewall endpoint have been defined, the next step is to set the Check Point context
    server

    actions ‘Login & Logout’ to use this endpoint.

    It’s very important to modify both the Login and Logout Server Actions. These are what update the
    Firewall
    of a user’s session going active/inactive. ClearPass will then update the Check Point firewall which
    will

    permit/deny this user. The firewall should not be updated of a session starting and not clear it when
    the

    user disconnects.

    Make a copy of the CheckPoint Login - Guest User & CheckPoint Logout.

    a. CheckPoint Login - Guest User:


    Create a copy of the Context Server Action for guest user and modify the settings as shown below. Use the same
    IP as the Endpoint Context Server
    Figure 8: Context Server for Guest user – Action Tab

    <<IMPORTANT NOTE>>: To ensure the identity will not be verified against Check Point’s identity
    sources, the “fetch-user-groups”

    and “fetch-machine-groups” should be set to 0 (zero). This is very important for Guest Users.
    Obviously for

    Guest users their userIDs do not exist within identity stores like Active Directory as they are transient
    users.

    Some guest accounts could exist within a directory but that is not usual. So as a part of the
    integration,

    identify these users and link them to a user group (a configurable Check Point attribute called access
    role).
    The important points to call out below are some of the additional fields that have been added, for example
    user-groups, this is set in our example to aruba-guest. We have also added machine-groups, this is set in
    our example to aruba-guest-machine. These groups will have to be created on the Check Point firewall.
    Take care as no validation is performed and the spelling needs to be exactly the same. The creation of this
    item on the firewall is covered later in section Check Point Configuration – Guest user account.
    Another field added is roles. Note that the roles field is set to ‘[]’, that's a left and right square bracket.
    The final change is that the two group fields, fetch-user-groups and fetch-machine-group are set to 0
    (that's a zero), which was explained earlier to skip the AD validation at the Check Point firewall.

    You might also like