Check Point Lab R80.40 - 8. Identity Awareness

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hello this is johnny welcome back to my nasdaq youtube channel in today's video i'm gonna talk about the checkpoint iii.40 identity awareness rate so let's start with the diagram i'm having one checkpoint firewall ip27217.1.21 i have test machine 1.42 management server 192.168.2.37 my smart console installed on the dot 2.41 i have a new infrastructure server ad and smt server on 192.168.2.2 and then we are using router 192.168.2.1 to go to internet that's the infrastructure this is our firewall is our management server first thing when we go to the identity awareness we need to enable it on a gateway right click your firewall gateway choose edit enable identity awareness break now identity awareness with configuration wizard gonna show up i'm gonna ask you a bunch of questions so here we're gonna select how user will be identified by your security gateway so we will choose all of that we will choose browser-based authentication and also ad query terminal servers for terminal servers we need an agent probably at this moment we won't need a lot so i can uncheck this one we won't test that and then we need to create a new domain so let our ad server domain 19168.2.12 domain name is 51 sec test.there and we need to use domain admin in one domain controllers we can use dc one dot there and then we need to connect to it just waiting the gateway and management server connecting to dc1.51 sec test dev okay successful connected next to activate browser-based authentication define rule with an access rule like one below so this one shows captive portal so we're gonna use the main url the product is accessible only through internal interfaces so which one is our internal interface that will be defined on network management so we can do next identity awareness is now active finish we need to add access lure and then we need to install policy and then we can check the file logs that's the basic step to enable identity awareness played simple and easy we also can check identity awareness blade configuration here from gateway's property um let's identity source we already enabled the browser-based authentication using captive portal to provide identity also to the id query we also can install identity agent on a client machine and providing that identity this is very lightweight agent need to be installed on user's computers also from terminal server we need the agent as well similar thing identity awareness support using the terminal servers latest accounting we can get the identity data from ladies accounting requests identity collector identity web api and the last one is remote access so identity awareness support usage ipsec vpn users endpoint vpn for our testing purpose we only use the first two so i only enable the first two here one more thing we can do is on a management server we need to enable identity login so that will add identity information to logs but it will need the connectivity from gateway and smart dashboard to activity directory is required so we already have that the try connecting again it's successfully connected okay now we're gonna make a policy installation for this lab we still need to install one agent terminal server agent onto our test server so there are different type of agents there's a full and light we probably need a full agent to get that you have to go to the your file gateway in this folder and then you should be able to see a full agent and light agent usually i ftp it out to my server using the mode and put four [Music] after that you should be able to get it so i download it here you should be able to get it from from your ftp server and then you can move it to move from your share folder to your local then you should be able to install it by the way i already get my machine joined into domain so i logged in as test one domain admin user so i don't mean one and we should be able to use in this terminal server agent and authenticating the machine we're going to take a look at that let's take a look gateway settings at the same time we're gonna work on our firewall laws so for identity awareness actually we need uh terminal service and press your key put down pressure key here okay don't forget to install your policy after make changes so windows configures checkpoint identity agent that's way too loud we cannot create a policy security policy here viewpoints above um we gonna add access law um we just say identified users network users we can specify your users and groups for example you can chat the admin one let them all test users so an identified users can go to anywhere when they're using http traffic right and we will be accept all the users we're gonna add another excess lure which is only identified as any other users and if they go into http and i gonna go to captive portal right now we're gonna install it now one second we can enable login enable login yep you can use in specific server pc one that's our domain controller server okay checkpoint identify agendas settings we don't need it we connect the server and we log server temp okay that's to connect status reconnecting okay then we need to change the settings uh-huh that's our internal server it's gateway not our 17.1 uh we can trust it that should be fine credential to identify server let's go to transact test okay now it's connected so so username is settiming1 okay now we can go back to our locals and monitors let's search braid so you can say we operate search identity awareness and you can see at the main one has been logged in using admin one successful login accessory updated um all looks fine okay policy has been pushed and now we can test it we didn't get any prompt this is http website let's try some http website here as well so bc cancer no problem if and let's do this if we clean up our login session um so we all authenticate our machine and we should get the latter captive portal let's the other thing we need to do is we need to disconnect it okay you have chosen this camera from gateway limit you accept okay we disconnect it disconnect is not enough you need to revoke the token the vocal session um yeah that we're gonna do that before that we're gonna check our logs user initiative logout um okay pdp monitor all more you can see this session 2.242 layer we need to clean up this session you scroll charged if you try it again it will even disconnect it it's still not sure we're gonna not gonna show you that portal it will not show you the portal here so even we should disconnect we can revoke this token revoke this ip basically dp control revoke [Music] ip102168.22 okay let's now 2.242 and from the breed identity awareness logs you should see some revoked information it's been revoked now let's take a look testing again the same http website unexpected captive portal it's a little bit slow because they cannot identify a user talk to ad they check everywhere and see if you are logged in so now you see it's asking us access login so at the same time you still can put at the beginning at mean one using same username and password and then you will go in there but they do at least this will be prompt out this login window network login window amazing isn't it um we can check that photo again right it should be here show to what was trusted and the authentication method became user and password which we provided from network access portal that for identity awareness hope you enjoyed this thank you for watching [Music] [Music] you

Info

Channel: Johnny Netsec

Views: 3,274

Rating: undefined out of 5

Keywords: Security, 51Sec, NetSec, Cyber Security, ITProSec, Learning and Sharing, CheckPoint, Check Point, R80.40, Identity Awareness

Id: ptgGaC3bQVE

Channel Id: undefined

Length: 18min 7sec (1087 seconds)

Published: Wed Oct 07 2020