USD ($)
$
United States Dollar
India Rupee

LDAP Integration with Checkpoint Firewall

Created by Amar Singh in Articles 4 Nov 2024
Share
«Checkpoint CCSA Lab Setup: ...

Integrating LDAP with Check Point Firewall is essential for enhancing user authentication and access control within network security. This integration allows organizations to leverage centralized user management, simplifying granting and revoking access based on user roles.

This article will explore the detailed steps for successful LDAP integration with Check Point Firewall. Additionally, engaging in Check Point courses can provide IT professionals with the necessary skills and knowledge to optimize their firewall configurations and effectively manage user identities.

Task

● Understanding of user authentication and identity management

● Perform telnet  authentication from internal  client (172.11.3.3) to external  client (172.11.4.3)  using legacy authentication method is user  authentication and authentication  scheme is checkpoint password and username is Uninets and password is admin123

● Manage users to access to different services like https ,ssh by using external database using LDAP and ip address of Ad server is 172.11.3.3

Image description

Explanation

Checkpoint point authentication features enable you to verify the identity of users logging into the security Gateways but also allow you to control security by allowing some users or disallowing some others for some authentication scheme has been specified such as LADAP , RADIUS ,SECURE ID,TACACS.


Check Point CCSA TrainingGet online training for CCSA certification.Explore course
custom banner static image

Creating Users and Groups

Authentication rule has been defined by user groups not by individual users therefore you must first define users and then add them to groups to define authentication rules you can define users using the security gateway proprietary user database or using an LDAP, radius servers

User Type

1. External User profile: Externally defined users, who are not defined in the internal users database or External users are authenticated based on either their name or their domain

2. LDAP Groups: LDAP groups are required for performing a variety of operations such as defining LDAP user’s access rule or LADP remote access communities

3. Templates: It facilitate the user definition process and prevent mistakes by allowing you to create new users based on the appropriate template and change only a few relevant properties as needed

4. Users Groups: User groups are collections of users and sub-user groups we utilize them for different purposes such as VPNs and local

Database management

Users:  These are either local clients or remote clients, who can access your network and resources

Type of legacy authentication:-

1. User authentication:- It uses for per user basis authentication so it uses services like http, https and ftp, telnet its user is secure because authentication valid for one connection only.

2. Session authentication: – Provide authentication mechanism for any service and requires users to supply their credential for each authentication session for session authentication agent must be installed on every authenticating client therefore this method is not suitable for authenticating http services as they open multiple connection per sessions.

3. Client authentication :- permits multiple users and connections from the authorized ip address or host authorization is performed per machine for example if finger is authorized for client machine all users on the client are authorized to use finger and not asked to supply password.

Authentication scheme

1. Checkpoint password: – the security gateway can store a static password in the local user database of each user configured on the security management server.

2. Operating system password: – security gateway can authenticate using the username and password that is stored on the operating system of the system like Gia os.

3. Radius: – it’s an external authentication scheme that provides security and scalability by separating the authentication function from the access server using radius radius uses UDP to communicate security gateway.

4. TACACS: – it’s also a external-authentication scheme that provides verification services .its provide access control for routers and network servers.

Configuration

First log in into smart view tracker then select the firewall

banner image

Then double click on it

banner image

So here we can see by default all legacy method is selected but here are performing only  check-point password so we need to select check-point password then click on ok.

banner image

Now we to add a user so click on users and administrator tab and select users

banner image

banner image

Here we defining username is Uninets now we have to select authentication method click on authentication tab.

banner image

Here we can see we have multiple authentication schemes and we have select check point password.

banner image

Here we selected authentication scheme is checkpoint password and we also providing password is admin123 as we earlier in task.

banner image

here we can a user has been created Uninets Now we have to create a user group as we earlier we can’t bind directly single user so we will create user-group tel-auth and add user Uninets.

banner image

Now we have to click on new group.

banner image

Now we selected user is Uninets and click on add and then click on ok.

banner image

Here we check that user-group tel-auth has been created now we have to create a rule base or policy for traffic flow through firewall can hit by that rule now click on policy.

banner image

Now we have select source so right click on source-tab then click on add objects and then choose add legacy user’s access.

banner image

Here we select our created user-groups so as we know we earlier created tel-auth so select it and click on ok.

banner image

Now we are selecting here destination so our destination is external-client click on ok.

banner image

Here we are selecting service here click on add object then select telnet.

banner image

Click on ok

banner image

Now we add authentication scheme so click on legacy then choose User-auth then save the policy and push the policy on security gateway.

banner image

Verification;-

dmz-cleint#

dmz-cleint#telnet 172.11.4.2

Trying 172.11.4.2 … Open

Check Point FireWall-1 authenticated Telnet server running on firewall-Gateway

Connected to 172.11.4.2

User Access Verification

Username: uninets

Password:

external-client>

here we can see that we authenticated through checkpoint firewall

Task: 02

Now we have from next task for that first we have to create a node for LDAP integration with win-server 2008 r2 we have a win sever ip is 172.11.3.3 so we have to create a node click on node and give name winserver-2008.

banner image

banner image

Now click on ok

banner image

Here we can check that our new node has been created with the name of win-server-2008 now we have to create a ldap account unit for that click on servers and opsec tab.

banner image

Now we have right click on servers.

banner image

Then select new then there are so many servers then click on LDAP Account unit.

banner image

here we are a name to ldap account unit so we gave win-server-users then selecting profile means end server so here we are using Microsoft server then provide domain-name of server we already have a domain so here we mentioning a name is itnerds.com.

banner image

banner image

Here we given domain name is it nerds now click ok servers tab.

banner image

Now click on add to add first we have add host means a ip address of server as we know we already created a host for server.

banner image

banner image

here selecting user is win-server-2008 then we have to provide username and login-dn and password for server access all details providing over here is related to server so for these details coordinate with server admin person.

banner image

Click on ok

banner image

Now click on fetch branch and click on ok.

banner image

Here we see that once fetching has been completed LDAP account unit has been created now we have click on users that all server databases has been synced with SM.

banner image

Here we seen that all database has been synced with security manager now we to create a LDAP-group to bind with policy we know that we can’t bind users directly with policy so create group with name of LDAP-GP.

banner image

Click on new LDAP group

banner image

Here we have to provide name is LDAP_GP and account unit is win-server-users and click on ok.

banner image

Here we can see that group has been created Now we have to create a policy then click on policy tab.

banner image

Right click on source tab then select add objects then click on add Legacy Users.

banner image

So choose LDAP-GP group and click on ok.


banner image

Need to bind authentication scheme so choose user-Auth and save the policy and push the policy on security gateway.

banner image


So policy has been pushed to security gateway.

Verification-

Here we see that it’s asking for username and password.

banner image

In conclusion, integrating LDAP with Check Point Firewall is a critical step in enhancing network security by streamlining user authentication and access management. By following the detailed steps discussed, organizations can effectively manage user identities and enforce robust security policies.

Additionally, pursuing network security courses can further enhance your understanding and skills in implementing such integrations, ensuring that IT professionals are well-prepared to tackle the challenges of modern cybersecurity landscapes.

List of Checkpoint Firewall ...»
Amar Singh

Amar Singh is a senior security architect and a certified trainer. He is currently working with a reputed organization based out of India. His accomplishments include CCNA, CCNP Security, CEH, Vmware, Checkpoint and Palo Alto Certifications. He is holding more than 12 years of experience in Network security domain. In his career he has been ...

More... | Author`s Bog | Book a Meeting

Related Articles

#Explore latest news and articles

Configuring 802.1x  and Troubleshooting Commands 16 Dec 2024

Configuring 802.1x and Troubleshooting Commands

This Troubleshooting 802.1x command line document provides the step-by-step procedures define a client-server-based access control and authentication.
Configure Checkpoint SMS for Management 16 Sep 2024

Configure Checkpoint SMS for Management

Checkpoint Configure Security Management Server (SMS) With hostname, give IP-address to management interface & take GUI using default credentials.
Steps to Configure Security Management Server in Check Point 5 Nov 2024

Steps to Configure Security Management Server in Check Point

Check Point Initial Setup - Initilizing Security Management Server Configuration. Step by Step explaination.

Comments (0)

Share

Share this post with others

Contact learning advisor

Captcha image