Check Point Identity Collector is a dedicated client agent installed on Windows Servers in your network. Identity Collector collects information about identities and their associated IP addresses, and sends it to the Check Point Security Gateways for identity enforcement. For mandatory requirements and more information, see sk108235.
This section explains the steps you must follow to operate Identity Collector as an identity source, including installation and configuration on the Windows Server.
To deploy the Identity Collector:
Note - The Identity Collector does not directly send AD, LDAP or other types of groups to Identity Awareness Security Gateway.
To install the Identity Collector, a user with administrator rights must run the Identity Collector installation.
For all requirements and more information, see sk108235.
The Windows server, on which you install the Identity Collector, must meet these requirements:
To enable the Identity Collector solution, you must also configure it in the Identity Awareness Gateway object in SmartConsole:
You must select Identity Awareness Gateway interfaces that can accept connections from Identity Collector clients.
To select the Identity Awareness Gateway interfaces:
Important - The Through all interfaces and Through internal interfaces options have priority over Firewall Policy rules. If a Firewall rule is configured to block connections from Identity Collector clients, connections continue to be permitted when one of these options is selected.
An Identity Awareness Gateway accepts connections only from authorized Identity Collector client computers.
To configure authorized Identity Collector client computers:
Notes:
Or from the right upper corner, click the Objects tab > New > Host.
Notes:
The LDAP Account Units window opens.
By default, all User Directories options are selected. You can select only one or two options, if users are only from a specified directory, and you want to maximize Security Gateway performance, when users authenticate. Users with identical user names must log in with domain\username
.
Do these steps in the Identity Collector to configure it to work with Active Directory:
To add a new Active Directory with its Domain Controllers:
Note - The account must be a member of the Event Log Readers group.
To add a new Query Pool:
Assign one Query Pool to each gateway.
Note – The Identity Collector queries only the AD Domain Controllers and Cisco ISE Servers that are in the Query Pool.
To connect the Identity Collector to a Check Point gateway:
Note - Assign one Query Pool to each gateway.
To use the Identity Collector on a Windows server, the server must meet these requirements:
For more information, see sk108235.
To add a new Active Directory with its Domain Controllers:
Note - The account must be a member of the Event Log Readers group.
To add a new Query Pool:
Assign one Query Pool to each gateway.
Note – The Identity Collector queries only the AD Domain Controllers and Cisco ISE Servers that are in the Query Pool.
To connect the Identity Collector to a Check Point gateway:
Note - Assign one Query Pool to each gateway.
You can configure the Identity Collector to filter the login events. The Identity Collector sends to the Identity Server (Identity Awareness Gateway) only events that match the filter criteria.
Step |
Description |
---|---|
1 |
Open the Identity Collector application. |
2 |
From the top toolbar, click Filters. |
3 |
Select, or configure a filter:
|
4 |
Click OK. |
Cache:
The cache saves associations (user-to-IP address) that the Identity Collector creates for a time period (the default is 5 minutes). If the event happens again during that time, the Identity Collector does not send it to the Identity Server again.
For advanced configuration options, go to the Advanced tab on the left pane of the Identity Collector.
Activity Log
Logs the date and time of activities done in the Identity Collector. This log is cleared every time the GUI restarts.
Settings > Identity Reporting
Association time-to-live – How long this association will live on the PDP Security Gateway. The default is 12 hours.
Cache time-to-live – The cache saves associations (user to IP) that the Identity Collector creates for a set period of time (the default is 5 minutes). If the event occurs again during that time period, the Identity Collector does not send the event to the gateway again.
Ignore machine identities – The Identity Collector does not send computer associations, only user associations. The default of this feature is off.
Ignore RDP events – When remote desktop login occurs, 2 login events occur in the domain controller with the same username but different IPs: the computer logged in from and the computer logged in to. Therefore, the IP of the computer logged in from is redundant and with this configuration the Identity Collector ignores it.
Clear Cache Button – Clears all the entries saved in the cache. The Identity Collector will create new cache entries when it receives new associations.
Settings > ISE Servers
Session Keep-alive – The Identity Collector goes over its internal ISE sessions database every configured period of time. If it finds expired sessions, it queries the ISE Server to see if the session is still alive. Then it updates the gateway accordingly. This value sets the interval, during which this occurs.
Settings > Logins Monitor
Enable Logins Monitor – When selected, the Identity Collector records user logging events and shows them in the Logins Monitor tab.
Event expiration time – The maximum time that the Logins Monitor Table stores each login record.
Cache time-to-live – The maximum time between two different login events by the same user or same computer that are treated as one Logins Monitor record.
Auto refresh time – The interval of time, during which the user interface of the Logins Monitor refreshes its view when it requests an update of the users logins records.
Ignore revoked events – When selected, the Logins Monitor tab only stores and displays the latest login event (both user and computer event) for each IP address.
Direction |
Port |
Protocol |
---|---|---|
Identity Collector to Identity Awareness Gateway |
443 |
Proprietary Check Point protocol, over HTTPS. Used for ongoing communication between the agent and the Identity Awareness Gateway. |
Identity Collector to Microsoft Active Directory Domain Controller |
53 |
DNS |
Identity Collector to Microsoft Active Directory Domain Controller |
389 |
LDAP |
Identity Collector to Microsoft Active Directory Domain Controller |
636 |
LDAPS |
Identity Collector to Microsoft Active Directory Domain Controller |
135, |
* DCOM protocol, which makes extensive use of DCE/RPC. |
Identity Collector to Cisco ISE Server |
5222 |
Session subscribe. Gets notifications of new login or logout events from the Cisco ISE Server. |
Identity Collector to Cisco ISE Server |
8910 |
Bulk session download. Fetches all the active sessions from the Cisco ISE Server. |
* DCOM uses DCE/RPC. If the Active Directory Domain Controller uses Windows Firewall, you must configure it to allow Identity Collector traffic: enable Remote Event Log Management > Remote Event Log Management (RPC).
Sometimes, a Domain Controller sends events with domain names that are not the NetBIOS or the FQDN names. When this occurs, the Identity Awareness Gateway does not know the domain and drops the association. The Alias feature of the Identity Collector resolves this issue.
To enable Alias feature on the Identity Collector client computer:
C:\ProgramData\CheckPoint\IdentityCollector\
DomainDictionaryAliases.cfg
<name from which to convert>=<name to which to convert>
Notes:
Example:
If the nickname of "something.com
" is "someone
", add this line in the file: someone=something.com
This way, if an event contains the "someone
" domain, the domain name will change to "something.com
".
IDCService
Check Point Identity Collector
Exclude multi-user machines
After the Identity Collector works for a while, you can check how many multi-user computers there are, and add them to the Network Exclusion List. To do so, enter this command on the Identity Awareness Gateway CLI:
pdp idc muh show |
Exclude service accounts
After the Identity Collector works for a while, you can see how many service accounts there are, and add them to the Identity Exclusion List. To do so, enter this command on the Identity Awareness Gateway CLI:
pdp idc service_accounts |
Consolidate Groups
If the Identity Awareness Gateway receives the user groups from the Cisco Identity Collector (SGT), it does not try to fetch them from the user directory. If you enable group consolidation, the Identity Awareness Gateway fetches the group even if it receives groups from the Identity Collector:
pdp idc groups_consolidation show |