Checkpoint Firewall: How to configure synchronized Users from AD (Active Directory) to Checkpoint Firewall.


In the User Awareness page you can turn the blade on or off and use the configuration wizard to configure sources to get user identities, for logging and configuration purposes.

To use User Awareness, you must configure identification methods to get information about users and user groups. After the gateway acquires the identity of a user, user-based rules can be enforced on the network traffic in the Access Policy.

User Awareness can use these sources to identify users:

  • Active Directory Queries: Seamlessly queries the AD (Active Directory) servers to get user information.
  • Browser-Based Authentication: Uses a portal to authenticate either locally defined users or as a backup to other identification methods.

2. Network Diagram.

This article will guide you how to configure synchronized user from AD to Checkpoint Firewall to use synchronized users to authenticate VPN Remote Access and configure policy according to synchronized user group.

3. Instructions.

Step 1: Configure Active Directory Queries.

For example: On AD Server, there are 3 groups: Accounting, Sale and IT.

Each group has 1 user: John, Kane, Kevin.

On the administrative interface of Checkpoint Firewall > Access Policy > User Awareness > Blade Control.

Click ON User Awareness > Click Active Directory Queries > Configure…

In Active Directory Queries, click Define a new Active Directory and enter the following parameters:

Domain: Enter the domain name of AD
IPv4 address: Enter the IP address of the AD Server
User name: Enter user domain (Use admin domain user recommended)
Password: Enter user password
User DN: Enter FQDN user (Ex: CN=Administrator,CN=Users,DC=vacif,DC=local).
Click Discover, if there is no error message, you have successfully queried. Click Apply.

When you click Configure again, the domain “vacif.local” will appear in the Use existing Active Directory servers table.

Next, scroll down to User & Objects > User Management > Authentication Servers > Active Directory.

Click on “Permissions for Active Directory users”, under Grant remote access permissions to: click on “Selected AD user group” to be able to use synchronized user groups to authenticate VPN Remote Access. Click Apply.

Step 2: Add User Groups for Remote Access Users.

You move to VPN > Remote Access > Remote Access Users > Edit Permissions > Active Directory.

Here you will see the User Groups that have been synced from AD.

You click on the User Groups you want to use for authentication. Click Apply.

So you have successfully added 3 Groups: Accounting, Sales and IT.

Note: You will not be able to choose to add a specific user from AD, you can only select the group that contains that user.

Step 3: Check VPN Remote Access authentication using User Sync from AD.

You can refer to the VPN Remote Access configuration using the Checkpoint VPN Client through the following article:

Check VPN remote access with user Kevin in Group Accounting: Connection successful.

Check VPN remote access with user Kane in Group Sales: Connection successful.

Check VPN remote access with user John in Group IT: Connection successful.

You can also create a separate Policy for the group AD in Access Policy > Firewall > Policy > New Policy.

In Source > Active Directory > select Group (Ex: Accounting).

1 Comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.