02-27-2015 08:03 AM
I was wondering if anyone has tried to setup any context server integration with CPPM and Checkpoint firewalls.
Our end goal is to enable checkpoint to apply different firewall policies to different roles of guest. What we would like to do is to write rules in Checkpoint based on user roles defined in Clearpass and Aruba, and have Checkpoint apply different rules based on these roles.
Does anyone have any documentation of having CPPM talk to Checkpoint to pass user/group/role information, and then how this can be processed inside Checkpoint? I believe i heard from someone in the past that this might be possible using the Generic HTTP context server in 6.5, but i can't find much information about how this works.
ACDX, ACCP, CISSP, CWNA
Solved! Go to Solution.
02-27-2015 08:04 AM
Checkpoint with username/IP combinations. So you're looking to add more
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
02-27-2015 08:15 AM
I guess my confusion is that Checkpoint will not understand a random username. For example if we have an anonymous guest with user '883883' how is that handles in Checkpoint?
I get that for AD users this makes sense as Checkpoint can be aware of domain users, and when it gets passed a username it can find this user in AD, and then apply rules based on AD Groups.
However for a guest user if we just pass the guest username how will checkpoint know if its a Guest or a contractor? Looking in clearpass the actions for the Checkpoint is:
Could we change it up so that it says something like:
Would this pass the TIPS role as the username? Then we could fake it by creating users in AD with the username set to our clearpass roles? Then Checkpoint could lookup these 'users' and find a group. We could then write rules in checkpoint with these groups?
I guess my confusion lies in how Checkpoint uses this information, and what the best information would be to pass for guest users?
ACDX, ACCP, CISSP, CWNA
02-27-2015 08:19 AM
I'll hopefully have the CheckPoint TechNote released early next week....
The context server actions in 6.5 will not help you currently.... they are in there for a release of FW-1 that is not FCS yet.
Snr Tech Marketing Engineer - ClearPass
-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
07-27-2015 09:34 PM - edited 07-27-2015 09:35 PM