Configuring Identity Logging for a Log Server

When you enable Identity Awareness on a Log Server, you add user and computer identification to Check Point logs. Administrators can then analyze network traffic and security-related events better.

The Log Server communicates with Active Directory servers. The Log Server stores the data extracted from the AD in an association map. When Security Gateways generate a Check Point log entry and send it to the Log Server, the server gets the user and computer name from the association map entry that corresponds to the source IP address of the event log. It then adds this identity aware information to the log.

Enabling Identity Awareness on the Log Server for Identity Logging

Before you enable Identity Awareness on the Log Server for Identity Logging:

• Make sure there is network connectivity between the Log Server and the domain controller of your Active Directory environment.
• Get the Active Directory administrator credentials.

To enable Identity Awareness on the Log Server for logging:

1. Log in to SmartConsole.
2. From the Navigation Toolbar, click Gateways & Servers.
3. Open the Log Server object.
4. In the General Properties page, in the Management section, select Logging & Status and Identity Awareness.

   The Identity Awareness Configuration wizard opens.

5. On the Acquire Identities For Logs window, click Next.
6. On the Integration With Active Directory page, select or configure an Active Directory Domain.
   1. From the Select an Active Directory list, select the Active Directory to configure from the list that shows configured LDAP Account Units or create a new domain. If you have not set up Active Directory, you need to enter a domain name, username, password and domain controller credentials.

      When the SmartConsole client computer is part of the AD domain, SmartConsole suggests this domain automatically. If you select this domain, the system creates an LDAP Account Unit with all of the domain controllers in the organization's Active Directory.

   2. Enter the Active Directory credentials and click Connect to verify the credentials.
      Important - For AD Query you must enter domain administrator credentials. For Browser-Based Authentication standard credentials are sufficient.
   3. If you selected Browser-Based Authentication or Terminal Servers, or do not wish to configure Active Directory, select I do not wish to configure Active Directory at this time and click Next.

   Best Practice - We highly recommend that you go to the LDAP Account Unit and make sure that only necessary domain controllers are in the list. If AD Query is not required to operate with some of the domain controllers, delete them from the LDAP Servers list.

   With the Identity Awareness configuration wizard, you can use existing LDAP Account units or create a new one for one AD domain.

   If the SmartConsole computer is part of the domain, the Wizard fetches all the domain controllers of the domain and all of the domain controllers are configured.

   If you create a new domain, and the SmartConsole computer is not part of the domain, the LDAP Account Unit that the system creates contains only the domain controller you set manually. If it is necessary for AD Query to fetch data from other domain controllers, you must add them later manually to the LDAP Servers list after you complete the wizard.

   To view/edit the LDAP Account Unit object, open Object Explorer (Ctrl + E), and select Servers > LDAP Account units in the Categories tree.

   The LDAP Account Unit name syntax is: <domain name>__AD

   For example, CORP.ACME.COM__AD.

7. Click Next.
8. The Identity Awareness is Now Active page opens with a summary of the acquisition methods.
9. Click Finish.
10. Optional: In the Log Server object, go to the Identity Awareness page and configure the applicable settings.
11. Click OK.
12. Install the database:
    1. From SmartConsole, go to Menu > click Install database.
    2. The Install Database window appears.
    3. Select all Check Point objects, on which to install the database.
    4. In the Install database window, click Install.
    5. In the SmartConsole window, click Publish & Install.
    6. The operation should end with the message Install Database on XXX Succeeded.

Install Database for a Log Server

If you have configured Identity Awareness for a Log Server, but do not see identities in logs, make sure you installed the database.

To install the database:

1. From SmartConsole, go to Menu > Install database...

   The Install Database window appears.

2. Select all Check Point object, on which to install the database.
3. Click OK.
4. Click Close when done.

WMI Performance

Bandwidth between the Log Server and Active Directory Domain Controllers

The amount of data transferred between the Log Server and domain controllers depends on the amount of events generated. The generated events include event logs and authentication events. The amounts vary according to the applications running in the network. Programs that have many authentication requests result in a larger amount of logs. The observed bandwidth range varies between 0.1 to 0.25 Mbps per each 1000 users.

CPU Impact

When using AD Query, the impact on the domain controller CPU is less than 3%.