Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass Generic HTTP Contect Server - Checkpoint

This thread has been viewed 6 times

  • 1.  Clearpass Generic HTTP Contect Server - Checkpoint

    Posted Feb 27, 2015 11:04 AM

    Hello Everyone,

     

    I was wondering if anyone has tried to setup any context server integration with CPPM and Checkpoint firewalls.

     

    Our end goal is to enable checkpoint to apply different firewall policies to different roles of guest. What we would like to do is to write rules in Checkpoint based on user roles defined in Clearpass and Aruba, and have Checkpoint apply different rules based on these roles.

     

    Does anyone have any documentation of having CPPM talk to Checkpoint to pass user/group/role information, and then how this can be processed inside Checkpoint? I believe i heard from someone in the past that this might be possible using the Generic HTTP context server in 6.5, but i can't find much information about how this works.

     

    _ELiasz



  • 2.  RE: Clearpass Generic HTTP Contect Server - Checkpoint

    EMPLOYEE
    Posted Feb 27, 2015 11:05 AM
    There are native Checkpoint server actions in 6.5. These update the
    Checkpoint with username/IP combinations. So you're looking to add more
    information?


  • 3.  RE: Clearpass Generic HTTP Contect Server - Checkpoint

    Posted Feb 27, 2015 11:15 AM

    I guess my confusion is that Checkpoint will not understand a random username. For example if we have an anonymous guest with user '883883' how is that handles in Checkpoint?

     

    I get that for AD users this makes sense as Checkpoint can be aware of domain users, and when it gets passed a username it can find this user in AD, and then apply rules based on AD Groups.

     

    However for a guest user if we just pass the guest username how will checkpoint know if its a Guest or a contractor? Looking in clearpass the actions for the Checkpoint is:

     

    [{"command":"add_user","username":"%{name}","ip":"%{ip}", "machine_name":"%{machine}","domain":"%{domain}",......

     

    Could we change it up so that it says something like:

    [{"command":"add_user","username":"%{role}","ip":"%{ip}", "machine_name":"%{machine}","domain":"%{domain}",.......

     

    Would this pass the TIPS role as the username? Then we could fake it by creating users in AD with the username set to our clearpass roles? Then Checkpoint could lookup these 'users' and find a group. We could then write rules in checkpoint with these groups?


    I guess my confusion lies in how Checkpoint uses this information, and what the best information would be to pass for guest users?

     

    Thanks,


    _ELiasz



  • 4.  RE: Clearpass Generic HTTP Contect Server - Checkpoint
    Best Answer

    Posted Feb 27, 2015 11:20 AM

    Guys,

     

    I'll hopefully have the CheckPoint TechNote released early next week....

     

    The context server actions in 6.5 will not help you currently.... they are in there for a release of FW-1 that is not FCS yet.

     

     



  • 5.  RE: Clearpass Generic HTTP Contect Server - Checkpoint

    Posted Feb 27, 2015 11:41 AM

    Thanks for the quick reply Danny. I look forward to checking out the TechNote when its available.

     

    _ELiasz



  • 6.  RE: Clearpass Generic HTTP Contect Server - Checkpoint
    Best Answer