Identity Collector

This section describes how to configure an Identity CollectorClosed Check Point dedicated client agent installed on Windows Servers in your network. Identity Collector collects information about identities and their associated IP addresses, and sends it to the Check Point Security Gateways for identity enforcement. For more information, see sk108235. You can download the Identity Collector package from sk134312. (a type of Identity Client) for a Microsoft Server.

The Check Point Identity Collector serves as a specialized client agent that is deployed on Windows Servers within your network infrastructure.

Functionally, the Identity Collector is responsible for gathering identity-related data, which includes corresponding IP addresses, and subsequently transmites this information to the Check Point Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.. This exchange of data facilitates identity-driven enforcement measures.

To facilitate its operation, the Identity Collector leverages the Windows Event Log mechanism to retrieve security logs from the Domain Controller. The Windows Event Log functionality is an integral part of the operating system, available both for client systems (starting from Windows Vista) and server systems (starting from Windows Server 2008).

Example Topology and Traffic Flow




Windows Server with Identity Collector installed


User endpoint computers


Identity AwarenessClosed Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Gateway


Internal resources


Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server.


Endpoint users authenticate on the Windows Server (1)


User endpoint computers (2) communicate with the Identity Awareness Gateway


Identity Collector on the Windows Server (1) sends user and machine identities to the Identity Awareness Gateway


Identity Awareness Gateway grants or denies access to internal resources (4) based on the Access Control Policy


Security Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. manages the Identity Awareness Gateway

These are the benefits of using Identity Collector instead of a standard AD QueryClosed Check Point clientless identity acquisition tool. It is based on Active Directory integration and it is completely transparent to the user. The technology is based on querying the Active Directory Security Event Logs and extracting the user and computer mapping to the network address from them. It is based on Windows Management Instrumentation (WMI), a standard Microsoft protocol. The Check Point Security Gateway communicates directly with the Active Directory domain controllers and does not require a separate server. No installation is necessary on the clients, or on the Active Directory server.:

Note - For the support of Identity Collector on Quantum Spark Appliances, see sk159772 and sk178604.

High Availability Mode

To set up the Identity Collector in High Availability mode, follow these steps:

  1. Install the Identity Collector on two separate Windows servers.

  2. Make sure that both Windows servers have identical configurations.

    After installed, the Identity Collector performs the following tasks on each Windows server:

    • Collects events from AD/ISE Servers.

    • Forwards the collected events to the Security Gateway.

Note - If there are any duplicate events, the Security Gateway automatically disregards them.