[Check Point] Search for AD users in Access Roles

Alice's Adventures in Wonderland

Search for AD users in Access Roles

Are you using Identity Awareness functionality on your Check Point Firewall? Is it very convenient, isn’t it? Identity Awareness can be used for local traffic and VPN remote access as well. You can directly map Active Directory Users and Computers in your Access Roles and build rules per user (or computer), instead of IP address. Read the official documentation for getting more information, you could discover a new world!
Now, do you like to search for AD users in your Access Roles? Have you noticed that the only searchable users through the Object Explorer are local users? In other terms, you can only search users created locally on the management database, but you can’t do that for external accounts like AD users! Sigh…

This is a serious lack of the SmartConsole: the impossibility to find if an AD user is already configured in any Access Role. Indeed, there’s no way to know if a user already exists in one of your Access Roles. You may happen to create duplicated Access Roles including same users. That might be very confusing during a troubleshooting. Thus, before adding a new Access Role, you should verify if the interested user to be mapped already exists in another one.

The Bianconiglio script

For that reason, I wrote a simple python script able to search AD users in Access Roles. I named it Bianconiglio, who is the White Rabbit of Alice’s Adventures in Wonderland.

Download the Bianconiglio script

It is very simple to use. The syntax just accepts the username and the optional case-insensitive parameter:

Search for AD users in Access Roles

So, assuming you want to search the user 012345, the command to run is:

./getADuser.py 012345

The result will be something like the following. It shows the Access Role containing the user you’re searching for and other members (users and groups) within the same Access Role.

Search for AD users in Access Roles

The only configuration you need to implement on your firewall is the creation of a Read Only All user authenticated by API key. For instance:

Read only All User

Then, you need to copy&paste your Management Server IP address and the generated API key within the Bianconiglio script. For instance:

Bianconiglio configuration

If you have found this post useful, please visit the Contribute page