Tuesday, November 20, 2018

How to integrate Check Point firewalls with Cisco ISE 2.4 and Active Directory using permissions based on Windows User accounts and Check Point Roles


Integrating Check Point firewalls with Cisco ISE 2.4 and Active Directory using permissions based on Windows User accounts and Check Point Roles - by John Ejaife


In medium and large enterprises, network teams can grow in size to include personnel of varying skill levels. You may want to restrict certain powerful commands to only a few members who possess a higher level of expertise. Additionally, there may be an operations team that acts as a front line when network problems arise. These team members might only need read-access to the configuration and a few diagnostic commands for basic troubleshooting to determine whether or not a problem needs to be escalated. This document will walk you through how to configure whether user gets full, admin-level access or read-only access to a Check Point secure gateway, using Cisco ISE 2.4, Radius, Microsoft Active Directory security groups and Check Point firewall roles.

In this example we'll create permissions for a NOC user and an Admin user.

The steps can be summarized as follows:

I. Joining ISE to the Windows Domain.
II. Create Roles on the Check Point Firewall.
III. Add ISE as a RADIUS server in the Check Point GUI.
IV. Configure RADIUS in ISE.


Our example topology looks like this



I. Joining ISE to the Windows Domain.
In our instance, we have a Primary Domain Controller running Server 2016. (ActiveDirectory has already been preconfigured).

1. Log on to ISE via Internet Explorer. (In our case, it’s http://192.168.133.220/admin)
2. Click Administration > Identity Management > External Identity Sources > Active Directory.
3. Click Add. Enter a name for the Join Point which is the host name of the domain controller (in our case, it is “ad1”) and enter the domain. Then click submit
4. Enter the username and password of an Active Directory account that has rights to join a computer to the domain. You will want to make sure that NTP is configured and operational on both the ISE server and the Server 2016 domain controller and that DNS services are operational on the network as well.
5. On the Windows Domain Controller we will want to create two security groups. For this example, we will create one security group, called “FWAdmin” and another group called “FWNoc.” We’ll add individual users to these groups on the domain controller. (Later on, we will create roles on the Check Point firewall that will have different sets of commands for each of these groups, and create rules in ISE, assigning these roles and their commands to different end users, based on which user is logging on).
6. After ISE has been joined to the domain and shows a status of operational, click the Groups menu option


Then click “Add” and choose “Select groups from directory.”


Click the “Retrieve Groups” button


Check the two desired groups for “FWAdmins and FWNoc” and click “OK”


II. Create Roles on the Check Point Firewall
In this example, we will create one role with 50 read/write commands, called “checkpointAdmins” and we will create another role with 5 read-only commands, called “checkpointNoc”

Using putty, we will want to connect to our Check Point Secure Gateway (in our lab at 192.168.133.11) and log in with local admin credentials. In our firewall, the admin shell has been set to BASH.

To enter configuration mode, you’ll want to type `clish`, first.




Now, we’ll want to create a role, called “checkpointAdmins.” We’ll want to give it full admin rights to the Check Point firewall. At the command prompt, type `add rba role checkpointAdmins domain-type System all-features` 


Then, for our Operations group, we will want to create a “checkpointNoc" role. For this, we’ll want to connect to the management interface of our Check Point Secure Gateway (in our lab, it’s 192.168.133.11) and log in with admin credentials. Once logged in, you will want to scroll down, click on the plus sign next to “User Management, and click “Roles.”



Then you will want to click the “Add” button. We’ll want to create a role called “checkpointNoc” Type this in the “Role Name” field. Then click on all the features you want available to this role and select the “Read Only” option in the pull-down menu to the top right.



Then click the “Extended Commands” tab. Check a few commands, like “Ping”, “Traceroute” and “Top,” for example. Then click “OK”


III. Add ISE as a RADIUS server in the Check Point GUI.
In the Check Point GUI, under “User Management,” click Authentication Servers



Under RADIUS servers, click, “Add”
Enter the IP address of the ISE server (eg 192.168.122.220) and choose a Shared Secret that you will also use to configure when you log into ISE. Then click “OK”
IV Configure RADIUS in ISE.
Log onto ISE via your Internet browser. The vendor specific attributes must be added for Checkpoint, since they do not ship out of the box with ISE.
Select Policy > Elements > Dictionaries



Expand System > Radius. Then click on “Radius Vendors”



Click Add to add a new Vendor:
Dictionary Name: Checkpoint
Vendor ID: 2620

Leave the other values as default. Click Submit.

Then click the Checkpoint hyperlink. Once it loads, click the Dictionary Attributes tab.
Click "Add."


Add these values:
CP-Gaia-SuperUser-Access
Data Type: UINT32
Direction: Both
ID:230

Make sure the box is checked that says “Allow multiple instances of this attribute to be used in a profile.” 
Then click Submit. This is needed to permit the dictionary attributes to be matched by multiple authorization rules.


Then add another dictionary attribute with these values:
CP-Gaia-User-Role
Data Type: String
Direction: Both
ID:229
Make sure that box is checked that says “Allow multiple instances of this attribute to be used in a profile.”
Then click Submit


Then create a Network Device Profile for Check Point. Click Administration > Network Resources > Network Device Profiles



Click “Add” to create a new network device profile for Checkpoint. Check the “Radius” checkbox and add the Checkpoint Dictionary we created earlier.


Name: Checkpoint-Firewalls (or whatever you'd like)
Vendor: Other
Supported Protocols: RADIUS
Radius Dictionaries: Checkpoint
Then click “Submit”

Next, we need to add a Device Group, or device type.
Navigate to Administration > Network Resources > Network Device Groups
Click the Add Button




Call it CheckPoint-DeviceType. In the “Parent Group” pull-down menu, select “All Device Types” and click “Save.”


Now we’ll need to add network devices for this profile. Navigate to Administration > Network Resources > Network Devices




Click “Add”



Add the IP address of the Checkpoint firewall, and give it a name. For Device Profile, set it to the device type of CheckPoint-Firewalls, from earlier. For the Device-Type, set it to CheckPoint-DeviceType.
For Device Profile, select "CheckPoint-Firewalls"
Under Network Device Group, for the Device Type, Choose "CheckPoint-DeviceType"


Scroll down and check the RADIUS Authentication settings and enter the same Share Secret, you entered in the Check Point GUI RADIUS section. Then scroll down and click save or submit.



Next, we'll need to create two conditions, one for the Full Admin Rights Role on the Check Point Gateway, and the other for the Read-Only role we created earlier on the Check Point Gateway.
Click Work Centers > Network Access > Policy Elements


Expand Conditions and click Library Conditions



Click in the blank space in the editor field


Then click on the “Identity group” button, and click “ad1 External Groups” per below.

Then click in the “Choose from list or type” pull-down menu, and choose “spikefisholutions.com/Users/FWAdmins.”


Click “Save.” Then select “Save as a new Library Condition” and call it “If-FWAdmins.” Then click “Save” again
Then click the x on the top right corner.
Now we’ll need to create a condition for the read only NOC users.
Click in the blank space in the Editor again


Click the Group icon





Then click “ad1 ExternalGroups” again.



Click the pull-down menu, where it says “choose from list or type” and this time choose "FWNoc.”


Then click “Save,” call it IF-Noc, and click “Save again
Now we’ll need to create 2 Authorization profiles, one for each Role on the Check Point Secure Gateways (so one for the “checkpointAdmins” role, and the other for the “checkpointNoc” role.

Click Work Centers > Network Access > Policy Elements.
Under Policy Elements, expand “Results” and click “Authorization Profiles”




Click “Add” and call it “CheckPoint-NOC”
Set Access Type to “ACCESS_ACCEPT”
Set Network Device Profile to CheckPoint-Firewalls
Under the “Advanced Attribute” settings, choose Checkpoint:CP-Gaia-User-Role and set it to equal “checkpointNoc” which is the role on the CheckPoint gateway.


Click the + sign to add a second attribute.
Choose “Checkpoint:CP-Gaia-SuperUser-Access, and set it equal to the number 1. Then click “Save”


Then click “Submit.”
Now, using similar steps, create an authorization profile for the “checkpointAdmin” role as per below


This type, change the Checkpoint:CP-Gaia-User-Role to equal “checkpointAdmins”


Now, we must define an “Authentication Policy.”
Click Work Centers > Network Access > Policy Sets.
Click the + sign under Policy Sets


Under Policy Set Name, call it “CheckPointFirewalls” Click the + sign under Conditions to add a condition.
Then click in the blank space under the editor and click the device icon

Then choose the “DEVICE Device Type” menu option.


Next to the “Equals” pull-down menu, click in the “Choose from list or type” field, and select “All Device Types#CheckPoint-DeviceType/” Then click the “USE” button below.


Under the “Allow Protocols /Server Sequence” column heading, click in the pull-down menu, and choose “Default Network Access.”

Then click the “Save” button.
Then under the View column, click the right pointing caret (the'>' symbol, encircled below, to the right, in blue)



Then Expand the “Authentication Policy” section.
Under the “Use” column, click the pull-down menu, and select “ad1” which is the Windows Domain Controller we joined to.


Scroll down to past “Authorization Policy – Local Exceptions” and “Authorization Policy – Global Exceptions” and Expand “Authorization Policy”

Click on the + sign to create a new rule



Click on the + sign under the “Conditions column”
Drag the “IF-FWAdmins” condition to the space underneath the editor, as indicated by the blue arrow below, and click. Then click the “USE” button


Then under the “Results/Profiles” column, click in the open box, and choose “Check-point admin”


Then repeat the same steps above, but for the NOC group, so the Authorization Policy looks like this


Then click “Save”

Now, on the Windows server, place one user in the FWAdmins group and the other user in the FWNoc group, and have them log on to the Check Point Security Gateway management interface. The user in the FWAdmins group should have full rights, while the user in the FWNoc group should just have read access.

Let's log in to the Check Point firewall with the Windows ckptnoc user



As you can see, from the grayed out "Add" button in the screenshot below, the ckptnoc user only has read-access to the interfaces.

For more information, on this and other solutions, you can reach out to us at sales@spikefishsolutions.com