Configuring Identity Collector

Check Point Identity Collector is a dedicated client agent installed on Windows Servers in your network. Identity Collector collects information about identities and their associated IP addresses, and sends it to the Check Point Security Gateways for identity enforcement. For mandatory requirements and more information, see sk108235.

This section explains the steps you must follow to operate Identity Collector as an identity source, including installation and configuration on the Windows Server.

Deploying the Identity Collector Solution

To deploy the Identity Collector:

• Install an Identity Collector - You install this agent on the Windows server after you enable the Identity Collector identity source in the Identity Awareness Security Gateway object and install the Access Policy.
• Configure a shared secret - You must configure the same password on the Identity Collector as configured in the Identity Awareness Security Gateway object. This password is used to secure the established trust between them.

Note - The Identity Collector does not directly send AD, LDAP or other types of groups to Identity Awareness Security Gateway.

Installing the Identity Collector

To install the Identity Collector, a user with administrator rights must run the Identity Collector installation.

For all requirements and more information, see sk108235.

The Windows server, on which you install the Identity Collector, must meet these requirements:

• Windows Server 2008 or Windows Server 2008 R2, Windows Server 2012 or Windows Server 2012 R2, Windows 2016
• Installed .NET: 4.0 or higher
• Free Disk Space: 10 GB
• Memory: 8 GB
• Oracle Java: JRE 1.8 (Java SE Runtime Environment 8) or higher
• Connectivity to the AD domain controllers of the organization using DNS, LDAP and DCOM
• Connectivity to the Check Point Identity Awareness Gateway over TCP port 443

Configuring the Identity Collector in the Identity Awareness Gateway object

To enable the Identity Collector solution, you must also configure it in the Identity Awareness Gateway object in SmartConsole:

1. In SmartConsole, open the Identity Awareness Gateway object.
2. Go to the Identity Awareness pane.
3. Select Identity Collector.
4. Near the Identity Collector, click Settings.
5. In the Identity Collector Settings window, configure:
   • Client Access Permissions
   • Authorized Clients and Selected Client Secret
   • Authentication Settings
6. Click OK to close the Identity Collector Settings window.
7. Click OK to close the Gateway Properties window.
8. Optional: If you want to enforce the Cisco Security Group Tags (SGTs) on the Identity Awareness Gateway:
   1. In SmartConsole, click Objects menu > Object Explorer > New > User > User Group.
   2. Name the new group: CSGT-<SGT_NAME>.
   3. Assign this group to an Access Role.
9. Install the Access Policy.

Client Access Permissions

You must select Identity Awareness Gateway interfaces that can accept connections from Identity Collector clients.

To select the Identity Awareness Gateway interfaces:

1. In the Client Access Permissions section of the Identity Collector Settings window, click Edit.
2. Select Security Gateway interfaces that can accept connections from Identity Collector clients. The options are based on the topology configured for the Security Gateway. Identity Collector clients can access the Security Gateway, if they use networks connected to these interfaces. The options are:
   1. Through all interfaces - All Security Gateway interfaces can accept connections from Identity Collector clients.
   2. Through internal interfaces - Only Security Gateway interfaces that are explicitly defined internal, can accept connections from Identity Collector clients.
      • Including undefined internal interfaces - Also accepts connections from Web API clients on internal interfaces without a defined IP address
      • Including DMZ internal interfaces - Also accepts connections from Identity Collector clients located in the DMZ
      • Including VPN Encrypted interfaces - Also accepts connections from Identity Collector clients located in the VPN domain
   3. According to the Firewall policy - Select this, if there is an explicit Access Policy rule that accept connections from Identity Collector clients.

Important - The Through all interfaces and Through internal interfaces options have priority over Firewall Policy rules. If a Firewall rule is configured to block connections from Identity Collector clients, connections continue to be permitted when one of these options is selected.

Authorized Clients and Selected Client Secret

An Identity Awareness Gateway accepts connections only from authorized Identity Collector client computers.

To configure authorized Identity Collector client computers:

1. In the Authorized Clients section of the Identity Collector Settings window, click the green [+] icon and select an Identity Collector client from the list.

   Notes:

   • To define a new host object:
   1. Close the Identity Collector Settings window.
   2. Close the Identity Awareness Gateway Properties window.
   3. From the top toolbar, click the Objects menu > More object types > Network Object > New Host.

      Or from the right upper corner, click the Objects tab > New > Host.

   • To remove an existing Identity Collector client from the list, select the client and click the red [-] icon.
2. Create an authentication secret for a selected Identity Collector client:
   1. Select the Identity Collector client in the list.
   2. Click Generate, or enter the desired secret manually.

   Notes:

   • Each client has its own client secret.
   • To modify a client secret, change it manually.

Authentication Settings

1. In the Authentication Settings section of the Identity Collector Settings window, click Settings.

   The LDAP Account Units window opens.

2. Configure where the Identity Awareness Gateway can search for users, when they try to authenticate:
   • Internal users - The directory of configured internal users.
   • LDAP users - The directory of LDAP users:
     • All Gateway's Directories -Users from all configured LDAP servers.
     • Specific - Users from configured LDAP servers that you select.
   • External user profiles - The directory of users, who have external user profiles.

By default, all User Directories options are selected. You can select only one or two options, if users are only from a specified directory, and you want to maximize Security Gateway performance, when users authenticate. Users with identical user names must log in with domain\username.

Configuring the Identity Collector to Work with Active Directory

Do these steps in the Identity Collector to configure it to work with Active Directory:

1. Add a new Active Directory with its Domain Controllers.
2. Add a new Query Pool.
3. Connect to a Check Point gateway.

To add a new Active Directory with its Domain Controllers:

1. Go to Domains > New Domain.
2. Enter the Domain name and account credentials. There are 2 optional fields: Comment and DC IP Address to test connectivity.

   Note - The account must be a member of the Event Log Readers group.

3. Click OK.
4. Use one of these options to add the required Domain Controllers:
   1. Add Domain Controllers automatically by DNS and LDAP queries:
      1. Go to Identity Sources > New Source > Active Directory.
      2. Select Fetch Automatically.
      3. Select the Domain.
      4. Enter the DC IP Address of one of the Domain Controllers you want to add.
      5. Click Fetch. A list of the Domain Controllers show.
      6. Enable the Domain Controllers you want to add.
      7. Click OK.
   2. Add Domain Controllers manually one at a time:
      1. Go to Identity Sources > New Source > Active Directory.
      2. Click Add Manually.
      3. Enter the Domain Controller Name.
      4. Select the Domain.
      5. Enter the IP Address of the Domain Controller you want to add.
      6. Optional: Enter a comment and enter a Site’s name.
      7. If this server is not a domain controller but a server that the events are forwarded to, select this checkbox.
      8. Optional: Click Test to check the connectivity.
      9. Click OK.

To add a new Query Pool:

Assign one Query Pool to each gateway.

1. Click Query Pools > New Query Pool.
2. Enter the Query Pool Name and select the Identity Sources, from which to collect identities.
3. Optional: Enter a Comment.
4. Click OK.

   Note – The Identity Collector queries only the AD Domain Controllers and Cisco ISE Servers that are in the Query Pool.

To connect the Identity Collector to a Check Point gateway:

1. Go to Gateways > New Gateway.
2. Enter the Gateway Name, IP Address and Shared Secret as configured in SmartConsole.
3. Optional: Enter a comment.
4. Select a Query Pool to assign to the gateway.

   Note - Assign one Query Pool to each gateway.

5. Click Test.
6. Make sure the certificate is correct and approve it.
7. Click OK.

Requirements for a Windows Server

To use the Identity Collector on a Windows server, the server must meet these requirements:

• Windows Server 2008 or Windows Server 2008 R2, Windows Server 2012 or Windows Server 2012 R2, Windows 2016
• .NET 4.0 or higher
• Free Disk Space: 10 GB
• Memory: 8 GB
• SSL connectivity to the Check Point Identity Awareness Security Gateway
• Oracle Java JRE 1.8 (Java SE Runtime Environment 8) or higher

For more information, see sk108235.

Configuring the Identity Collector on the Windows Server

To add a new Active Directory with its Domain Controllers:

1. Go to Domains > New Domain.
2. Enter the Domain name and account credentials. There are 2 optional fields: Comment and DC IP Address to test connectivity.

   Note - The account must be a member of the Event Log Readers group.

3. Click OK.
4. Use one of these options to add the required Domain Controllers:
   1. Add Domain Controllers automatically by DNS and LDAP queries:
      1. Go to Identity Sources > New Source > Active Directory.
      2. Select Fetch Automatically.
      3. Select the Domain.
      4. Enter the DC IP Address of one of the Domain Controllers you want to add.
      5. Click Fetch. A list of the Domain Controllers show.
      6. Enable the Domain Controllers you want to add.
      7. Click OK.
   2. Add Domain Controllers manually one at a time:
      1. Go to Identity Sources > New Source > Active Directory.
      2. Click Add Manually.
      3. Enter the Domain Controller Name.
      4. Select the Domain.
      5. Enter the IP Address of the Domain Controller you want to add.
      6. Optional: Enter a comment and enter a Site’s name.
      7. If this server is not a domain controller but a server that the events are forwarded to, select this checkbox.
      8. Optional: Click Test to check the connectivity.
      9. Click OK.

To add a new Query Pool:

Assign one Query Pool to each gateway.

1. Click Query Pools > New Query Pool.
2. Enter the Query Pool Name and select the Identity Sources, from which to collect identities.
3. Optional: Enter a Comment.
4. Click OK.

   Note – The Identity Collector queries only the AD Domain Controllers and Cisco ISE Servers that are in the Query Pool.

To connect the Identity Collector to a Check Point gateway:

1. Go to Gateways > New Gateway.
2. Enter the Gateway Name, IP Address and Shared Secret as configured in SmartConsole.
3. Optional: Enter a comment.
4. Select a Query Pool to assign to the gateway.

   Note - Assign one Query Pool to each gateway.

5. Click Test.
6. Make sure the certificate is correct and approve it.
7. Click OK.

Identity Collector Filtering

You can configure the Identity Collector to filter the login events. The Identity Collector sends to the Identity Server (Identity Awareness Gateway) only events that match the filter criteria.

Step	Description
1	Open the Identity Collector application.
2	From the top toolbar, click Filters.
3	Select, or configure a filter: Network Filter - Defines IP addresses and networks to include or exclude. Identity Filter - Defines user names and computer names to include or exclude. You can filter by full names, names with wildcard or regular expression (select the checkbox).
4	Click OK.

Cache:

The cache saves associations (user-to-IP address) that the Identity Collector creates for a time period (the default is 5 minutes). If the event happens again during that time, the Identity Collector does not send it to the Identity Server again.

Identity Collector Advanced Configuration

For advanced configuration options, go to the Advanced tab on the left pane of the Identity Collector.

Activity Log

Logs the date and time of activities done in the Identity Collector. This log is cleared every time the GUI restarts.

Settings > Identity Reporting

Association time-to-live – How long this association will live on the PDP Security Gateway. The default is 12 hours.

Cache time-to-live – The cache saves associations (user to IP) that the Identity Collector creates for a set period of time (the default is 5 minutes). If the event occurs again during that time period, the Identity Collector does not send the event to the gateway again.

Ignore machine identities – The Identity Collector does not send computer associations, only user associations. The default of this feature is off.

Ignore RDP events – When remote desktop login occurs, 2 login events occur in the domain controller with the same username but different IPs: the computer logged in from and the computer logged in to. Therefore, the IP of the computer logged in from is redundant and with this configuration the Identity Collector ignores it.

Clear Cache Button – Clears all the entries saved in the cache. The Identity Collector will create new cache entries when it receives new associations.

Settings > ISE Servers

Session Keep-alive – The Identity Collector goes over its internal ISE sessions database every configured period of time. If it finds expired sessions, it queries the ISE Server to see if the session is still alive. Then it updates the gateway accordingly. This value sets the interval, during which this occurs.

Settings > Logins Monitor

Enable Logins Monitor – When selected, the Identity Collector records user logging events and shows them in the Logins Monitor tab.

Event expiration time – The maximum time that the Logins Monitor Table stores each login record.

Cache time-to-live – The maximum time between two different login events by the same user or same computer that are treated as one Logins Monitor record.

Auto refresh time – The interval of time, during which the user interface of the Logins Monitor refreshes its view when it requests an update of the users logins records.

Ignore revoked events – When selected, the Logins Monitor tab only stores and displays the latest login event (both user and computer event) for each IP address.

Identity Collector Ports and Protocols

Direction	Port	Protocol
Identity Collector to Identity Awareness Gateway	443	Proprietary Check Point protocol, over HTTPS. Used for ongoing communication between the agent and the Identity Awareness Gateway.
Identity Collector to Microsoft Active Directory Domain Controller	53	DNS
Identity Collector to Microsoft Active Directory Domain Controller	389	LDAP
Identity Collector to Microsoft Active Directory Domain Controller	636	LDAPS
Identity Collector to Microsoft Active Directory Domain Controller	135, and dynamically allocated ports	* DCOM protocol, which makes extensive use of DCE/RPC.
Identity Collector to Cisco ISE Server	5222	Session subscribe. Gets notifications of new login or logout events from the Cisco ISE Server.
Identity Collector to Cisco ISE Server	8910	Bulk session download. Fetches all the active sessions from the Cisco ISE Server.

* DCOM uses DCE/RPC. If the Active Directory Domain Controller uses Windows Firewall, you must configure it to allow Identity Collector traffic: enable Remote Event Log Management > Remote Event Log Management (RPC).

Identity Collector Alias Feature

Sometimes, a Domain Controller sends events with domain names that are not the NetBIOS or the FQDN names. When this occurs, the Identity Awareness Gateway does not know the domain and drops the association. The Alias feature of the Identity Collector resolves this issue.

To enable Alias feature on the Identity Collector client computer:

1. Go to this folder:

   C:\ProgramData\CheckPoint\IdentityCollector\

2. Create a new configuration file:

   DomainDictionaryAliases.cfg

3. The structure of the configuration file must be as follows:

   <name from which to convert>=<name to which to convert>

   Notes:

   • There is no space between the equal sign and the name of the domain or the alias name.
   • Each line shows one conversion.

   Example:

   If the nickname of "something.com" is "someone", add this line in the file: someone=something.com

   This way, if an event contains the "someone" domain, the domain name will change to "something.com".

4. Save the changes in the file.
5. Restart the Identity Collector service:
   • Service Name: IDCService
   • Service Display Name: Check Point Identity Collector

Identity Collector Optimization

Exclude multi-user machines

After the Identity Collector works for a while, you can check how many multi-user computers there are, and add them to the Network Exclusion List. To do so, enter this command on the Identity Awareness Gateway CLI:

pdp idc muh show

Exclude service accounts

After the Identity Collector works for a while, you can see how many service accounts there are, and add them to the Identity Exclusion List. To do so, enter this command on the Identity Awareness Gateway CLI:

pdp idc service_accounts

Consolidate Groups

If the Identity Awareness Gateway receives the user groups from the Cisco Identity Collector (SGT), it does not try to fetch them from the user directory. If you enable group consolidation, the Identity Awareness Gateway fetches the group even if it receives groups from the Identity Collector:

pdp idc groups_consolidation show