Configuring Identity Logging for a Log Server

In This Section: Enabling Identity Awareness on the Log Server for Identity Logging

When you enable Identity Awareness on a Log Server, you add user and computer identification to Check Point logs. Administrators can then analyze network traffic and security-related events better.

The Log Server communicates with Active Directory servers. The Log Server stores the data extracted from the AD in an association map. When Security Gateways generate a Check Point log entry and send it to the Log Server, the server gets the user and computer name from the association map entry that corresponds to the source IP address of the event log. It then adds this identity aware information to the log.

Enabling Identity Awareness on the Log Server for Identity Logging

Before you enable Identity Awareness on the Log Server for identity logging:

• Make sure there is network connectivity between the Log Server and the domain controller of your Active Directory environment.
• Get the Active Directory administrator credentials.

To enable Identity Awareness on the Log Server for logging:

1. Log in to SmartDashboard.
2. From the Network Objects tree, right-click Check Point and select the Security Gateway with the Log Server.
3. In the Software Blades section, select Logging & Status and Identity Awareness on the Management tab.

   The Identity Awareness Configuration wizard opens.

4. Click Next.

   The Integration With Active Directory window opens.

   When SmartDashboard is part of the domain, SmartDashboard suggests this domain automatically. If you select this domain, the system creates an LDAP Account Unit with all of the domain controllers in the organization's Active Directory.

   Note - We highly recommend that you go to the LDAP Account Unit and make sure that only necessary domain controllers are in the list. If AD Query is not required to operate with some of the domain controllers, delete them from the LDAP Servers list.

   With the Identity Awareness configuration wizard you can use existing LDAP Account units or create a new one for one AD domain. If you create a new domain, the LDAP account unit that the system creates contains only the domain controller you set manually. If it is necessary for AD Query to fetch data from other domain controllers, you must add them at a later time manually to the LDAP Servers list after you complete the wizard.

   To view/edit the LDAP Account Unit object, select Servers and OPSEC in the objects tree > LDAP Account Unit.

   The LDAP Account Unit name syntax is: <domain name>_ _ AD

   For example, CORP.ACME.COM_ _ AD.

5. From the Select an Active Directory list, select the Active Directory to configure from the list that shows configured LDAP account units or create a new domain. If you have not set up Active Directory, you need to enter a domain name, username, password and domain controller credentials.
6. Enter the Active Directory credentials and click Connect to verify the credentials.

   Important - For AD Query you must enter domain administrator credentials or do the steps in sk43874.

7. Click Finish.