Identity Collector - Filters for Login Events

You can configure Identity CollectorClosed Check Point dedicated client agent installed on Windows Servers in your network. Identity Collector collects information about identities and their associated IP addresses and sends it to the Check Point Security Gateways for identity enforcement, you can download the Identity Collector package from the Support Center. to filter the login events. Identity Collector sends events that match the filter criteria to the Identity ServerClosed Check Point Security Gateway with enabled Identity Awareness Software Blade..

Starting with version R80.67.0000, Identity Collector has these types of filter sets:

  • Global Filter - Is applied for all Identity Servers configured in the Identity Collector instance. This filter is good to use for Service Accounts.

  • Regular Filters - Are applied to one or more Identity Servers. These filters are located in the Identity Collector GUI Identity Server view.

To add a new Filter for login events in the Identity Collector:

  1. Open the Identity Collector application.

  2. From the top toolbar, click Filters.

  3. From the top toolbar, click New Filter ().

  4. Enter the name for the Filter to show in the Identity Collector.

  5. (Optional) Enter the comment.

  6. Configure the filter:

    • Network Filter - Defines IP addresses and networks to Include or Exclude

    • Identity Filter - Defines user names and computer names to Include or Exclude

    • Domain Filter - Defines domain names to or Include or Exclude

    • Group Filter - (starting from version R81.018.0000) - Defines groups to Include or Exclude

  7. Click OK.

To edit a current Filter for login events in the Identity Collector:

  1. Open the Identity Collector application.

  2. From the top toolbar, click Filters.

  3. Select the applicable Filter.

  4. From the top toolbar, click Edit Filter ().

  5. Configure the Filter:

    • Network Filter - Defines IP addresses and networks to Include or Exclude.

    • Identity Filter - Defines user names and computer names to Include or Exclude.

    • Domain Filter - Defines domain names to Include or Exclude.

  6. Click OK.

To delete a current Filter for login events in the Identity Collector:

  1. Open the Identity Collector application.

  2. From the top toolbar, click Filters.

  3. Select the applicable Filter.

  4. From the top toolbar, click Delete Filter ().

  5. Click Yes to confirm.

  6. Click OK.

Cache:

The cache saves associations (user-to-IP address) that the Identity Collector creates for a time interval (the default is 5 minutes).

If the event happens again during that interval, the Identity Collector does not send it to the Identity Server.