Account in checkpoint can be kept locally or remotely. For remote account we can use several protocols like LDAP, Radius, TACACS, SecureID. TACACS is using encrypted session, RADIUS is encrypting just the password and for LDAP you can choose to encrypt it with the SSL. In production you should always use the encryption.
There are 3 basic steps to configure LDAP AD in checkpoint:
- Enable User Directory (in global properties) – you need to enable directory services on checkpoint before configuring them
- Create LDAP Hook to Server (Account Unit) – here you configure the AD server all the credentials (login DN, username port, encryption) needed to do the query to AD server. You can then refer to this via LDAP group.
- Create LDAP Group (Links to Account Unit) – this is the link which points to the account unit (ldap hook)
In the pictures below are all 3 steps
Enable global properties
LDAP Hook. Click on New and choose LDAP Account Unit. The configuration details should be provided by AD team in your company.
LDAP group below. Btw, if you double click on LDAP-AU (LDAP account unit) like shown in picture below you can query the AD and list all objects there. Looks nice