In This Section: |
When you enable Identity Awareness on a Log Server, you add user and computer identification to Check Point logs. Administrators can then analyze network traffic and security-related events better.
The Log Server communicates with Active Directory servers. The Log Server stores the data extracted from the AD in an association map. When Security Gateways generate a Check Point log entry and send it to the Log Server, the server gets the user and computer name from the association map entry that corresponds to the source IP address of the event log. It then adds this identity aware information to the log.
Before you enable Identity Awareness on the Log Server for Identity Logging:
To enable Identity Awareness on the Log Server for logging:
The Identity Awareness Configuration wizard opens.
When the SmartConsole client computer is part of the AD domain, SmartConsole suggests this domain automatically. If you select this domain, the system creates an LDAP Account Unit with all of the domain controllers in the organization's Active Directory.
Best Practice - We highly recommend that you go to the LDAP Account Unit and make sure that only necessary domain controllers are in the list. If AD Query is not required to operate with some of the domain controllers, delete them from the LDAP Servers list.
With the Identity Awareness configuration wizard, you can use existing LDAP Account units or create a new one for one AD domain.
If the SmartConsole computer is part of the domain, the Wizard fetches all the domain controllers of the domain and all of the domain controllers are configured.
If you create a new domain, and the SmartConsole computer is not part of the domain, the LDAP Account Unit that the system creates contains only the domain controller you set manually. If it is necessary for AD Query to fetch data from other domain controllers, you must add them later manually to the LDAP Servers list after you complete the wizard.
To view/edit the LDAP Account Unit object, open Object Explorer (Ctrl + E), and select Servers > LDAP Account units in the Categories tree.
The LDAP Account Unit name syntax is: <domain name>__AD
For example, CORP.ACME.COM__AD
.
If you have configured Identity Awareness for a Log Server, but do not see identities in logs, make sure you installed the database.
To install the database:
The Install Database window appears.
Bandwidth between the Log Server and Active Directory Domain Controllers
The amount of data transferred between the Log Server and domain controllers depends on the amount of events generated. The generated events include event logs and authentication events. The amounts vary according to the applications running in the network. Programs that have many authentication requests result in a larger amount of logs. The observed bandwidth range varies between 0.1 to 0.25 Mbps per each 1000 users.
CPU Impact
When using AD Query, the impact on the domain controller CPU is less than 3%.