Identity Collector - Automatic LDAP Group Update

Identity CollectorClosed Check Point dedicated client agent installed on Windows Servers in your network. Identity Collector collects information about identities and their associated IP addresses, and sends it to the Check Point Security Gateways for identity enforcement. For more information, see sk108235. You can download the Identity Collector package from sk134312. automatically recognizes changes to LDAP group memberships and updates the identity information, including Access Roles.

This capability is now available using Identity Collector.

This capability was already available in AD QueryClosed Check Point clientless identity acquisition tool. It is based on Active Directory integration and it is completely transparent to the user. The technology is based on querying the Active Directory Security Event Logs and extracting the user and computer mapping to the network address from them. It is based on Windows Management Instrumentation (WMI), a standard Microsoft protocol. The Check Point Security Gateway communicates directly with the Active Directory domain controllers and does not require a separate server. No installation is necessary on the clients, or on the Active Directory server. and in R80.40. Starting in R81 it is available in Identity Collector, as well.

The LDAP Group Update feature is on by default for a user’s membership updates. For group membership updates, it is off by default. You can turn it on manually from the CLI.

When enabling update of group membership movement, the system recalculates LDAP group membership for ALL users in ALL Groups. This may have a performance impact.

  • Users moving from one LDAP group to another – on by default.

  • Moving a group to a different group (nested groups)– off by default.

  • Group deletion – off by default.

To activate automatic LDAP group update for a group’s membership MOVEMENT:

On the Identity AwarenessClosed Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Gateway (each Cluster MemberClosed Security Gateway that is part of a cluster.) command line, run:

pdp idc groups_update {on|off|status}

Parameters

Parameter

Description

on

The pdp performs "update all" to get the current LDAP group status.

off

Disables the feature (default setting)

status

Shows the current status of the feature

For improved performance, the information about LDAP users and groups is cached by the Identity Awareness Gateway. If the information about a current group is already cached, the group update is not reflected until the cache is updated.

By default the cache is updated every 15 minutes.

The Group Update flow:

  1. The Identity Collector receives a notification about a group change. It does this by listening to the IDs of group change events.

  2. The Identity Collector forwards the notification to the PDPClosed Check Point Identity Awareness Security Gateway that acts as Policy Decision Point: acquires identities from identity sources; shares identities with other gateways. Identity Awareness Gateway.

  3. The PDP Identity Awareness Gateway behavior depends on the status of the group update settings.

    Group Update Setting

    Behavior

    A user or a machine

    PDP performs the action "update specific" for this user or machine to get the current status

    A group with the feature disabled

    PDP does nothing.

    This is the default setting.

    A group with the feature enabled

    PDP performs the action "update all" to get the current status.

    You can enable the feature with this command:

    pdp idc groups_update on