Security

Reply
Regular Contributor I
Posts: 171
Registered: ‎04-13-2009

Clearpass Generic HTTP Contect Server - Checkpoint

Hello Everyone,

 

I was wondering if anyone has tried to setup any context server integration with CPPM and Checkpoint firewalls.

 

Our end goal is to enable checkpoint to apply different firewall policies to different roles of guest. What we would like to do is to write rules in Checkpoint based on user roles defined in Clearpass and Aruba, and have Checkpoint apply different rules based on these roles.

 

Does anyone have any documentation of having CPPM talk to Checkpoint to pass user/group/role information, and then how this can be processed inside Checkpoint? I believe i heard from someone in the past that this might be possible using the Generic HTTP context server in 6.5, but i can't find much information about how this works.

 

_ELiasz

-------------------
ACDX, ACCP, CISSP, CWNA
Guru Elite
Posts: 8,460
Registered: ‎09-08-2010

Re: Clearpass Generic HTTP Contect Server - Checkpoint

There are native Checkpoint server actions in 6.5. These update the
Checkpoint with username/IP combinations. So you're looking to add more
information?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I
Posts: 171
Registered: ‎04-13-2009

Re: Clearpass Generic HTTP Contect Server - Checkpoint

I guess my confusion is that Checkpoint will not understand a random username. For example if we have an anonymous guest with user '883883' how is that handles in Checkpoint?

 

I get that for AD users this makes sense as Checkpoint can be aware of domain users, and when it gets passed a username it can find this user in AD, and then apply rules based on AD Groups.

 

However for a guest user if we just pass the guest username how will checkpoint know if its a Guest or a contractor? Looking in clearpass the actions for the Checkpoint is:

 

[{"command":"add_user","username":"%{name}","ip":"%{ip}", "machine_name":"%{machine}","domain":"%{domain}",......

 

Could we change it up so that it says something like:

[{"command":"add_user","username":"%{role}","ip":"%{ip}", "machine_name":"%{machine}","domain":"%{domain}",.......

 

Would this pass the TIPS role as the username? Then we could fake it by creating users in AD with the username set to our clearpass roles? Then Checkpoint could lookup these 'users' and find a group. We could then write rules in checkpoint with these groups?


I guess my confusion lies in how Checkpoint uses this information, and what the best information would be to pass for guest users?

 

Thanks,


_ELiasz

-------------------
ACDX, ACCP, CISSP, CWNA
Moderator
Posts: 488
Registered: ‎11-09-2012

Re: Clearpass Generic HTTP Contect Server - Checkpoint

Guys,

 

I'll hopefully have the CheckPoint TechNote released early next week....

 

The context server actions in 6.5 will not help you currently.... they are in there for a release of FW-1 that is not FCS yet.

 

 


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Regular Contributor I
Posts: 171
Registered: ‎04-13-2009

Re: Clearpass Generic HTTP Contect Server - Checkpoint

Thanks for the quick reply Danny. I look forward to checking out the TechNote when its available.

 

_ELiasz

-------------------
ACDX, ACCP, CISSP, CWNA
Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: Clearpass Generic HTTP Contect Server - Checkpoint

[ Edited ]

CheckPoint Integration TechNote 1.2

 

Check here for all the latest technotes

 

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Search Airheads
Showing results for 
Search instead for 
Did you mean: