The latest version of the CheckPoint firewall software has a very useful feature when deploying across organisations utilising O365 with AzureAD as the authentication mechanism.

This is becoming increasingly common having end user devices registered with AzureAD and managed by intune, however I found the CheckPoint guides lacking and not much else in the public domain on how to set this up.

Key assumptions

Before jumping in, this blog post makes the following assumptions:

  1. You have already got an existing AzureAD directory created and configured in your Azure subscription
  2. You have relevant permissions to create an application registration within AzureAD
  3. You have a CheckPoint appliance or Azure hosted gateway already running and licensed
  4. You CheckPoint appliance is running version R81. This does not work on older versions.
  5. You have at LEAST one user and group in your AzureAD environment
  6. You have basic knowledge of the Azure portal, and CheckPoint

With all that out the way, lets get started.

Creating the Azure AD application

Before we can set anything up on the CheckPoint, we need to do some ground work in Azure, we need to create a new application registration, authentication key and obtain the application ID etc.

  1. log into your Azure console – most likely located at https://portal.azure.com
  2. Then, open up the AzureAD directory page.
  3. Select the “Enterprise Applications” option on the left hand side
  4. Click “New Application” on the top bar
  5. Click “Create your own application”
  6. Enter a name of choice for the application as per your organisations naming format
  7. Select the option of “Integrate any other application you don’t find in the gallery (Non-gallery)”
  8. Click Create

Configuring the Azure AD Application

Now you have an empty application, the configuration to make it work needs to be added.
Head back to the main AzureAD screen and select “App Registrations”

Now you need to note down two pieces of key information.

  1. Application (client) ID
  2. Directory (tenant) ID

You can retrieve these values at any point, so no need to worry about saving them in a password manager etc.

Once you have those noted, click “Certificates & Secrets” on the left hand menu list.

Click “New Client Secret”

Enter a description and then select an expiry period. I chose 6 months as this is a lab environment, however you will probably want to select a period in alignment with your key management policy.

Click Add, You can only view this secret once. Note it down and save it in your password manager. If you lose the key you will have to create a new one and then re-align it on your CheckPoint appliance.

Configuring the CheckPoint appliance (Part 1)

First up, you want to connect to your Checkpoint management server, or gateway (if running in standalone mode) with the SmartConsole.

Go to the object browser on the right hand side and click the new button at the top. Select “More”, “User/Identity” then at the bottom, select “Azure AD”

This will bring up a configuration window where you can now configure your AzureAD Information

Provide a useful object name, remember CheckPoint does sometimes have issues with spaces in object names, so best to avoid and use alternate punctuation.

Paste the Application ID and Directory ID from earlier steps.
Paste the secret key into the “Application Key” field

Click “Test Connection”. If all is well, you can then click OK and save. If not – it will provide you with an error as so:

This was one of the issues I hit when following the CheckPoint instructions. If you hit this, SSH to your appliance, and run the following command to view the logs:

tail -f $FWDIR/log/cloud_proxy.elg

Here I saw the following error:

"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.

This error message is far more useful, it’s a shame the CheckPoint GUI does not echo this back up to the end user, perhaps someone from CKP might see this blog post and add it, who knows!

Anyhow, I did some investigation and to resolve it I had to:

  1. Go to Application Registrations
  2. Click “API Permissions”
  3. Click “Add a permission”
  4. Select “Application Permissions”
  5. Select Microsoft Graph
  6. Select the following permissions
    a. Device.Read.All
    b. GroupMember.Read.All
    c. User.Read.All
  7. Click “Add Permissions” at the bottom
  8. Click “Grant admin consent”

You should now see a green “Connected” text as follows:

Click “OK” to save your object. You will get the following warning:

Don’t panic, as we’ll be setting up SAML next.
Click OK and then click publish on the top window of the console.
Click “Install Policy” to apply the new object to your gateway(s)
Check the new configuration has applied successfully and then continue on to the next stage.

Configuring SAML as Single Sign-On in Azure

This was the bit I found the hardest and least documented. Even the CheckPoint documentation is vague and unhelpful here.

  1. Head back to AzureAD, and select “Enterprise Applications
  2. Search for the application name you created in previous steps
  3. Open said application
  4. Click “Single Sign On” on the left hand side
  5. Select “SAML” from the options presented
  6. On the screen presented, click edit on the “Basic SAML Configuration”

Keep that page open and switch back into your CheckPoint console.

  1. Go to the object explorer on the right hand side
  2. Right click on “Users/Identities” and select “Identity Provider”
  3. You will be presented with the configuration screen
  1. Enter a name for the object
  2. Select the applicable gateway on the dropdown
  3. Select “Mobile Access” on the service dropdown
  4. Copy the Identifier (Entity ID) and Reply URL

Now, swap back to the Azure console where you have the SAML configuration open.

  1. Paste the Identifier
  2. Paste the Reply URL
  3. Click Save
  4. Click the X on the top right hand side

Now you need to change some of the user attributes that are involved in the SAML flow.

  1. Select edit on the “User Attributes and Claims” panel
  2. In the required claim section, click Unique User Identifier (Name ID)
  3. Make sure “Source” is set to “Attribute”
  4. Set “Source Attribute” to user.localprincipalname
  5. Click save

Back on the SAML screen, scroll down to the SAML Signing Certificate section and click download on the “Federation Metadata XML” option.

Go back to the CheckPoint console and click “Import Metadata File”. Select the XML file you just downloaded.

If all is well, the ticks will go green, Click OK

Publish and Install the policy onto your gateway.

Enable Identity Awareness blade

Click the Gateways & Servers tab on the left hand side:

Then, right click your gateway and select “Edit”:

Select “General Properties” and then tick the “Identity Awareness” checkbox:

This will then bring up a wizard to configure your CheckPoint.

Select “Browser Based Authentication”:

Select your AzureAD configuration from the dropdown, it will be named the same as your object.

Click “Test” to re-confirm the configuration is working

Click OK

Change your “Main URL” to the DNS name of the firewall if you wish.

Change the accessible interfaces to the ones of your choice.

Click Next

Click Finish

Publish and install the policy

Wrapping Up

Congratulations! if you made it this far, then you now have your CheckPoint all configured and ready to go with Azure authentication.

I will step into configuration of Access groups and VPN rules in another post later on, but you will now be able to select Azure AD users and groups when creating your policies in the SmartConsole.

I hope this blog post proved useful for you, I am by no means a CheckPoint expert but it’s always good to share knowledge!