Identity Collector - Automatic LDAP Group Update
Identity Collector Check Point dedicated client agent installed on Windows Servers in your network. Identity Collector collects information about identities and their associated IP addresses, and sends it to the Check Point Security Gateways for identity enforcement. For more information, see sk108235. You can download the Identity Collector package from sk134312. automatically recognizes changes to LDAP group memberships and updates the identity information, including Access Roles.
This capability is now available using Identity Collector.
This capability was already available in AD Query Check Point clientless identity acquisition tool. It is based on Active Directory integration and it is completely transparent to the user. The technology is based on querying the Active Directory Security Event Logs and extracting the user and computer mapping to the network address from them. It is based on Windows Management Instrumentation (WMI), a standard Microsoft protocol. The Check Point Security Gateway communicates directly with the Active Directory domain controllers and does not require a separate server. No installation is necessary on the clients, or on the Active Directory server. and in R80.40. Starting in R81 it is available in Identity Collector, as well.
The LDAP Group Update feature is on by default for a user’s membership updates. For group membership updates, it is off by default. You can turn it on manually from the CLI.
When enabling update of group membership movement, the system recalculates LDAP group membership for ALL users in ALL Groups. This may have a performance impact.
-
Users moving from one LDAP group to another – on by default.
-
Moving a group to a different group (nested groups)– off by default.
-
Group deletion – off by default.
To activate automatic LDAP group update for a group’s membership MOVEMENT:
On the Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Gateway (each Cluster Member Security Gateway that is part of a cluster.) command line, run:
|
Parameters
Parameter |
Description |
---|---|
|
The pdp performs "update all" to get the current LDAP group status. |
|
Disables the feature (default setting) |
|
Shows the current status of the feature |
For improved performance, the information about LDAP users and groups is cached by the Identity Awareness Gateway. If the information about a current group is already cached, the group update is not reflected until the cache is updated.
By default the cache is updated every 15 minutes.
The Group Update flow:
-
The Identity Collector receives a notification about a group change. It does this by listening to the IDs of group change events.
-
The Identity Collector forwards the notification to the PDP Check Point Identity Awareness Security Gateway that acts as Policy Decision Point: acquires identities from identity sources; shares identities with other gateways. Identity Awareness Gateway.
-
The PDP Identity Awareness Gateway behavior depends on the status of the group update settings.
Group Update Setting
Behavior
A user or a machine
PDP performs the action "update specific" for this user or machine to get the current status
A group with the feature disabled
PDP does nothing.
This is the default setting.
A group with the feature enabled
PDP performs the action "update all" to get the current status.
You can enable the feature with this command:
pdp idc groups_update on