Checkpoint Firewall: How to configure Browser-Based Authentication (Captive Portal) authenticate users before access Internet.


Browser-Based Authentication uses a web interface to authenticate users before they can access network resources or the Internet. When users try to access a protected resource, they must log in to a web page to continue. This is a method that identifies locally defined users or users that were not successfully identified by other methods. 

2. Network Diagram.

This article will guide you how to configure the Browser-Based Authentication feature on Checkpoint Firewall for authentication, as well as create user-specific policies before access the Internet.

3. Instructions

Step 1: Configure Browser-Based Authentication.

To enable Browser-Based Authentication feature on the administrative interface of Checkpoint Firewall > Access Policy > User Awareness > Blade Control > Click ON User Awareness.

Under Policy Configuration > click Browser-Based Authentication > click Configure.

In the Identification tab:

You can select Block unauthenticated users when the captive portal is not applicable for unauthenticated users.

Specific destinations: Select Internet.

Switch to Customization tab: You can leave this tab default or you can use another logo as you like by clicking Upload.

Switch to the Advanced tab:

Portal Address: Keep the default setting which is the address the Captive Portal runs on the Check Point Appliance or enter a different portal address.

Session timeout: Sets for how long an authenticated user can access the network or Internet before they have to authenticate again.

Enable Unregistered guests login: Allow an unregistered, guest user to be identified in the logs by name and not only by IP address. An unregistered user is an unmanaged non-AD user, typically a partner or a contractor. To gain access, guests enter their company name, email address, phone number (optional), and name.

Guest Session timeout: This is the number of minutes for which a guest user can access network resources. The default timeout is 180 minutes. Guest access is logged. The name of the guest shows in the User column of the Logs and Monitoring tab. The other details show in the full log entry.

Force quick cache timeout if user closes portal window: When the portal is closed, the user is logged out.

Finally click Apply.

Step 2: Create Users.

In the administrative interface of Checkpoint Firewall > User & Objects > User Awareness > User > New > Local User.

In the Remote Access tab: Enter the parameters as shown below. Click Apply.

Here I create 2 users, John and Steven.

Step 3: Check the configuration.

When you try to access some websites, a Checkpoint website will appear that requires authentication user before access the Internet.

You enter the Username and Password of John created in step 2. Click Log In.

Click choose “I have read and agreed to the terms and conditions“. Click Next.

Once successfully authenticated, you will access the internet normally.

Note: You must not turn off this authentication page to maintain Internet access.

Step 4: Create Policy with Authenticate User.

Next, I will create a policy to block access facebook for user John.

On the administrative interface of Checkpoint Firewall > User & Objects > Network Resources >Network Object Groups > New.

Enter a name for Network Object Groups (Ex: Block_FB_VN) > New > Type: Domain Name > Domain: Click Apply.

To create a Policy, go to Access Policy > Firewall > Policy > New > On Top.

In the Source section: select User tab > select John.

Destination: select Network Object Groups (Ex: Block_FB_VN).

Action: select Block.

Click Apply.

Policy to block access facebook for user John.

Test: Authenticate with user John and try to access facebook, the result is inaccessible. But other websites are still accessed normally.

Check Logs on Checkpoint Firewall. All traffic of user John is dropped.

Next, login with user Steven, then access facebook normally.

Check Logs on Checkpoint Firewall. Log shows user John has logged out and user Steven has successfully logged in.

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.