Configuring Identity Collector

Check Point Identity Collector is a dedicated client agent installed on Windows Servers in your network. Identity Collector collects information about identities and their associated IP addresses, and sends it to the Check Point Security Gateways for identity enforcement. For mandatory requirements and more information, see sk108235.

This section explains the steps you must follow to operate Identity Collector as an identity source, including installation and configuration on the Windows Server.

Configuring the Identity Collector in the Identity Awareness Gateway object

To enable the Identity Collector solution, you must also configure it in the Identity Awareness Gateway object in SmartConsole:

In SmartConsole, open the Identity Awareness Gateway object.
Go to the Identity Awareness pane.
Select Identity Collector.
Near the Identity Collector, click Settings.
In the Identity Collector Settings window, configure:
- Client Access Permissions
- Authorized Clients and Selected Client Secret
- Authentication Settings
Click OK to close the Identity Collector Settings window.
Click OK to close the Gateway Properties window.
Optional: If you want to enforce the Cisco Security Group Tags (SGTs) on the Identity Awareness Gateway:
1. In SmartConsole, click Objects menu > Object Explorer > New > User > User Group.
2. Name the new group: CSGT-<SGT_NAME>.
3. Assign this group to an Access Role.
Install the Access Policy.

Client Access Permissions

You must select Identity Awareness Gateway interfaces that can accept connections from Identity Collector clients.

To select the Identity Awareness Gateway interfaces:

In the Client Access Permissions section of the Identity Collector Settings window, click Edit.
Select Security Gateway interfaces that can accept connections from Identity Collector clients. The options are based on the topology configured for the Security Gateway. Identity Collector clients can access the Security Gateway, if they use networks connected to these interfaces. The options are:
1. Through all interfaces - All Security Gateway interfaces can accept connections from Identity Collector clients.
2. Through internal interfaces - Only Security Gateway interfaces that are explicitly defined internal, can accept connections from Identity Collector clients.
  - Including undefined internal interfaces - Also accepts connections from Web API clients on internal interfaces without a defined IP address
  - Including DMZ internal interfaces - Also accepts connections from Identity Collector clients located in the DMZ
  - Including VPN Encrypted interfaces - Also accepts connections from Identity Collector clients located in the VPN domain
3. According to the Firewall policy - Select this, if there is an explicit Access Policy rule that accept connections from Identity Collector clients.

Important - The Through all interfaces and Through internal interfaces options have priority over Firewall Policy rules. If a Firewall rule is configured to block connections from Identity Collector clients, connections continue to be permitted when one of these options is selected.

Authorized Clients and Selected Client Secret

An Identity Awareness Gateway accepts connections only from authorized Identity Collector client computers.

To configure authorized Identity Collector client computers:

In the Authorized Clients section of the Identity Collector Settings window, click the green [+] icon and select an Identity Collector client from the list.
Notes:
- To define a new host object:
1. Close the Identity Collector Settings window.
2. Close the Identity Awareness Gateway Properties window.
3. From the top toolbar, click the Objects menu > More object types > Network Object > New Host.
  Or from the right upper corner, click the Objects tab > New > Host.
- To remove an existing Identity Collector client from the list, select the client and click the red [-] icon.
Create an authentication secret for a selected Identity Collector client:
1. Select the Identity Collector client in the list.
2. Click Generate, or enter the desired secret manually.
Notes:
- Each client has its own client secret.
- To modify a client secret, change it manually.

Authentication Settings

In the Authentication Settings section of the Identity Collector Settings window, click Settings.
The LDAP Account Units window opens.
Configure where the Identity Awareness Gateway can search for users, when they try to authenticate:
- Internal users - The directory of configured internal users.
- LDAP users - The directory of LDAP users:
  - All Gateway's Directories -Users from all configured LDAP servers.
  - Specific - Users from configured LDAP servers that you select.
- External user profiles - The directory of users, who have external user profiles.

By default, all User Directories options are selected. You can select only one or two options, if users are only from a specified directory, and you want to maximize Security Gateway performance, when users authenticate. Users with identical user names must log in with domain\username.

Downloading the Identity Collector

To download the Identity Collector:

Make sure you configured the Identity Collector in the Identity Awareness Gateway object.
In SmartConsole, open the Identity Awareness Gateway object.
Go to the Identity Awareness pane.
Under the Identity Collector, click the link Download agent.
Make sure you open the link from a location defined in the Accessibility setting (Identity Collector > Settings > Edit).
Your web browser will open this link:
https://<Gateway_IP_Address>/_IA_IDC/download/CPIdentityCollector.msi

Download should start automatically.
In the Identity Awareness Gateway object, click OK.

Installing the Identity Collector

To install the Identity Collector, a user with administrator rights must run the Identity Collector installation.

For all requirements and more information, see sk108235.

The Windows server, on which you install the Identity Collector, must meet these requirements:

Windows Server 2008 or Windows Server 2008 R2, Windows Server 2012 or Windows Server 2012 R2, Windows 2016
Installed .NET: 4.0 or higher
Free Disk Space: 10 GB
Memory: 8 GB
Oracle Java: JRE 1.8 (Java SE Runtime Environment 8) or higher
Connectivity to the AD domain controllers of the organization using DNS, LDAP and DCOM
Connectivity to the Check Point Identity Awareness Gateway over TCP port 443

The Identity Collector GUI

These are the elements of the Identity Collector client GUI that was downloaded from R80.20 Security Gateway:

Location in GUI	Element in GUI	Description
Upper left corner	Icon with pink people silhouettes	Opens a menu with these options: Import Configuration Export Configuration About Exit
Top toolbar	Query Pools	Configuration of Query Pools
	Filters	Configuration of Filters for login events
	Domains	Configuration of Domains
	Syslog Parses	Configuration of Syslog Parses
Left navigation toolbar	Identity Sources	Configuration of Identity Sources
	Gateways	Configuration of Identity Awareness Gateways
	Logins Monitor	View of login events
	Settings	Configuration of advanced settings

Working with Query Pools in the Identity Collector

To add a new Query Pool in the Identity Collector:

Step	Description
1	Open the Identity Collector application.
2	At the top, click Query Pools.
3	From the top toolbar, click New Query Pool ().
4	Enter the name for the Query Pool to show in the Identity Collector.
5	(Optional) Enter the comment.
6	Select the Identity Sources, from which to collect identities.
7	Click OK.

To edit an existing Query Pool in the Identity Collector:

Step	Description
1	Open the Identity Collector application.
2	At the top, click Query Pools.
3	Select the applicable Filter.
4	From the top toolbar, click Edit Query Pool ().
5	Select the Identity Sources, from which to collect identities.
6	Click OK.

To delete an existing Query Pool in the Identity Collector:

Step	Description
1	Open the Identity Collector application.
2	At the top, click Query Pools.
3	Select the applicable Filter.
4	From the top toolbar, click Delete Query Pool ().
5	Click Yes to confirm.
6	Click OK.

Note - The Identity Collector queries only the Identity Sources that are selected in the Query Pool.

Working with Filters for Login Events in the Identity Collector

You can configure the Identity Collector to filter the login events. The Identity Collector sends to the Identity Server (Identity Awareness Gateway) only events that match the filter criteria.

To add a new Filter for login events in the Identity Collector:

Step	Description
1	Open the Identity Collector application.
2	From the top toolbar, click Filters.
3	From the top toolbar, click New Filter ().
4	Enter the name for the Filter to show in the Identity Collector.
5	(Optional) Enter the comment.
4	Configure the filter: Network Filter - Defines IP addresses and networks to Include or Exclude. Identity Filter - Defines user names and computer names to Include or Exclude. Domain Filter - Defines domain names to Include or Exclude.
5	Click OK.

To edit an existing Filter for login events in the Identity Collector:

Step	Description
1	Open the Identity Collector application.
2	From the top toolbar, click Filters.
3	Select the applicable Filter.
4	From the top toolbar, click Edit Filter ().
5	Configure the Filter: Network Filter - Defines IP addresses and networks to Include or Exclude. Identity Filter - Defines user names and computer names to Include or Exclude. Domain Filter - Defines domain names to Include or Exclude.
6	Click OK.

To delete an existing Filter for login events in the Identity Collector:

Step	Description
1	Open the Identity Collector application.
2	From the top toolbar, click Filters.
3	Select the applicable Filter.
4	From the top toolbar, click Delete Filter ().
5	Click Yes to confirm.
6	Click OK.

Cache:

The cache saves associations (user-to-IP address) that the Identity Collector creates for a certain time (the default is 5 minutes). If the event happens again during that time, the Identity Collector does not send it to the Identity Server again.

Working with Active Directory Domains in the Identity Collector

To add a new Active Directory Domain in the Identity Collector:

Step	Description
1	Open the Identity Collector application.
2	At the top, click Domains.
3	From the top toolbar, click New Domain ().
4	Enter the Domain name to show in the Identity Collector.
5	(Optional) Enter the comment.
6	Enter the Domain account credentials - Username and Password. Note - The account must be a member of the Event Log Readers group.
7	Enter the DC IP Address and click Test.
8	Click OK.

To edit an existing Active Directory Domain in the Identity Collector:

Step	Description
1	Open the Identity Collector application.
2	At the top, click Domains.
3	Select the applicable Domain.
4	From the top toolbar, click Edit Domain ().
5	Configure the Domain.
6	Click OK.

To delete an existing Active Directory Domain in the Identity Collector:

Step	Description
1	Open the Identity Collector application.
2	At the top, click Domains.
3	Select the applicable Domain.
4	From the top toolbar, click Delete Domain ().
5	Click Yes to confirm.
6	Click OK.

Connecting the Identity Collector to the Identity Awareness Gateway

To connect the Identity Collector to the Check Point Identity Server (Identity Awareness Gateway):

Step	Description
1	Open the Identity Collector application.
2	From the left navigation toolbar, click Gateways.
3	From the top toolbar, click Add ().
4	Configure the Identity Awareness Gateway: IP Address - Enter IPv4 address as configured in Identity Awareness Gateway object in SmartConsole Shared Secret - Enter the shared secret as configured in Identity Awareness Gateway object (Identity Awareness pane > Identity Collector > Settings). Query Pool - Select the applicable Query Pool. Filter - Select the applicable Filter for the login events (if this field is left empty, the default Global filter is used). Pre R80.10 Gateway - Select this option, if you connect to Identity Awareness Gateway R77.30 and below.
5	Click Test.
6	Examine and approve the Certificate Info.
7	Click OK.

Configuring the Identity Collector to Work with Active Directory

Workflow to configure the Identity Collector to work with Active Directory:

In the Identity Collector, add a new Active Directory Domain.
In the Identity Collector, add a new Active Directory Domain Controllers.
In the Identity Collector, add a new Query Pool, or edit an existing Query Pool.
In the Identity Collector, add a new Filter for the login events, or edit an existing Filter.
Connect the Identity Collector to the Check Point Identity Server (Identity Awareness Gateway).

Notes:

The Identity Collector is using the Windows Event Log API for fetching the security logs from Domain Controllers.
The Identity Collector can communicate with up to 35 Active Directory servers.
The Identity Collector can process up to 1900 AD events per second.

To add a new Active Directory Domain:

See Working with Active Directory Domains in the Identity Collector.

To add a new Active Directory Domain Controller as an Identity Source:

Use one of these two options to add the required Domain Controllers.

To add Domain Controllers automatically by DNS and LDAP queries:

Step	Description
1	Open the Identity Collector application.
2	From the left navigation toolbar, click Identity Sources.
3	From the top toolbar, click New Source > Active Directory > Fetch Automatically.
4	Enter the Domain Controller information: Domain - Select the Active Directory Domain, or configure a new one. DC IP Address - Enter the IP address of one of the Domain Controllers you want to add.
5	Click Fetch. A list of the Domain Controllers show.
6	Enable the Domain Controllers you want to add.
7	Click OK.

To add Domain Controllers manually one at a time:

Step	Description
1	Open the Identity Collector application.
2	From the left navigation toolbar, click Identity Sources.
3	From the top toolbar, click New Source > Active Directory > Add Manually.
4	Enter the Domain Controller Name to show in the Identity Collector.
5	(Optional) Enter your comment.
6	Enter the Domain Controller information: Domain - Select the Active Directory Domain, or configure a new one. IP Address - Enter the IP address of one of the Domain Controllers you want to add. Site - (Optional) Enter the Domain Controller site name. Is Forwarded Event Log Collector - Select this option, if this server is not a Domain Controller, but a server, to which the login events are forwarded.
7	Click Test.
8	Click OK

To add a new Query Pool in the Identity Collector:

See Working with Query Pools in the Identity Collector.

To add a new Filter for login events in the Identity Collector:

See Working with Filters for Login Events in the Identity Collector.

To connect the Identity Collector to the Check Point Identity Server (Identity Awareness Gateway):

See Connecting the Identity Collector to the Identity Awareness Gateway.

Configuring the Identity Collector to Work with Cisco ISE Server

Workflow to configure the Identity Collector to work with Cisco ISE:

In the Identity Collector, add a new Cisco ISE Server as an Identity Source.
In the Identity Collector, add a new Query Pool, or edit an existing Query Pool.
In the Identity Collector, add a new Filter for the login events, or edit an existing Filter.
Connect the Identity Collector to the Check Point Identity Server (Identity Awareness Gateway).

To add a new Cisco ISE Server as an Identity Source:

Step	Description
1	Open the Identity Collector application.
2	From the left navigation toolbar, click Identity Sources.
3	From the top toolbar, click New Source > Cisco ISE.
4	Enter the ISE Server Name to show in the Identity Collector.
5	Enter the Server Settings: Primary Node - Enter the resolvable FQDN of the primary pxGrid node (or the standalone node). Secondary Node - Enter the resolvable FQDN of the secondary pxGrid node. Only required in distributed pxGrid environment with more than one pxGrid node. Site - (Optional) Enter a Site name Certificate File - Select the ISE Server certificate file (in `jks` format), generated by the ISE Server. See the Cisco pxGrid documentation. Certificate Key - Enter the key for the ISE Server certificate file. Machine Name - Enter the resolvable FQDN of the Identity Collector client computer. The ISE Server pxGrid client list will later show this FQDN (Administration > pxGrid Services > Client Name) and it must be approved.
6	Enter the Client Settings: Certificate File - Select the Identity Collector certificate file (in `jks` format), generated by the ISE Server. See the Cisco pxGrid documentation. Certificate Key - Enter the key for the Identity Collector certificate file.
7	Click OK.

To add or edit a Query Pool in the Identity Collector:

See Working with Query Pools in the Identity Collector.

To add or edit a Filter for login events in the Identity Collector:

See Working with Filters for Login Events in the Identity Collector.

To connect the Identity Collector to the Check Point Identity Server (Identity Awareness Gateway):

See Connecting the Identity Collector to the Identity Awareness Gateway.

Configuring the Identity Collector to Parse Syslog Messages

Identity Collector can now receive and process syslog messages that contain identity information. Identity Collector can use these syslog messages as an additional identity source for the Identity Awareness Gateway.

Workflow to configure the Identity Collector to parse Syslog messages:

In the Identity Collector, create a new Syslog Parser.
In the Identity Collector, add a Syslog Server as an Identity Source.
In the Identity Collector, add a new Query Pool, or edit an existing Query Pool.
In the Identity Collector, add a new Filter for the login events, or edit an existing Filter.
Connect the Identity Collector to the Check Point Identity Server (Identity Awareness Gateway).

To create a Syslog Parser:

Step	Description
1	Open the Identity Collector application.
2	From the top toolbar, click Syslog Parsers.
3	Click New Parser.
4	Enter the Syslog Parser information: Object Name - Enter the Syslog Parser name to show in the Identity Collector. (Optional) Enter your comment. Message Subject - The beginning of a log of the event. Select Regex option, if the Message Subject is a regular expression. Event Type - Select Login, or Logout. Delimiter - A character that separates all the fields. Username Prefix - The prefix of a username attribute. It is a sequence of characters, which precedes the username value. Username - The username attribute. Must be written inside parentheses. Machine Prefix - The prefix of a machine name attribute. It is a sequence of characters, which precedes the machine name value. Machine - The machine name attribute. Must be written inside parentheses. Address Prefix - The prefix of an address attribute. It is a sequence of characters, which precedes the address value. Address - The address attribute. Must be written inside parentheses. Domain Prefix - The prefix of a domain name attribute. It is a sequence of characters, which precedes the domain name value. Domain - The domain name attribute. Must be written inside parentheses. Is Domain Mandatory - Select this option, if you want to discard messages without the domain attribute. Test Message - Enter a test syslog message and click the Ø icon to confirm that your parser works correctly. Important - Only the value of the attribute must be inside parentheses.
5	Click OK.

Additional information about how Syslog Parser works:

Syslog parser uses regular expressions with ECMAScript syntax.

To get an attribute, syslog parser uses this regular expression:

/<Message Subject>.*<Attribute Prefix><Attribute>[\\n|<Delimiter>].*$/.

Any unnecessary attributes should be empty. One of these pairs is mandatory:

Address and Username
Address and Machine

Example syslog message:

LOCAL7.INFO: May 30 2017 11:15:45: %ASA-6-113004: AAA user accounting Successful : server = 192.168.1.1 : user = johndoe\n

The Syslog Parser for this message may look like this:

Message subject: AAA user accounting Successful
Event Type: Login
Delimiter: \s:
Username Prefix: user\s=
Username: \s(\w+)
Address Prefix: server\s=
Address: \s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

To add a Syslog Server as an Identity Source:

Step	Description
1	Open the Identity Collector application.
2	From the left navigation toolbar, click Identity Sources.
3	From the top toolbar, click New Source > Syslog.
4	Enter the Syslog Server information: Syslog Server Name - Enter the Syslog Server name to show in the Identity Collector. (Optional) Enter your comment. IP Address - Enter the IPv4 address of the Syslog Server. Port - Enter the number of the UDP port, on which Identity Collector will be listening. Site - Enter the Site name of the Syslog Server. Parser - Select an existing Syslog parser, or create a new one.

To add or edit a Query Pool in the Identity Collector:

See Working with Query Pools in the Identity Collector.

To add or edit a Filter for login events in the Identity Collector:

See Working with Filters for Login Events in the Identity Collector.

To connect the Identity Collector to the Check Point Identity Server (Identity Awareness Gateway):

See Connecting the Identity Collector to the Identity Awareness Gateway.

Note - If you imported a previously exported configuration, the Identity Collector's GUI might not show the Syslog Parsers immediately. In this case, close and reopen the Identity Collector.

Configuring the Identity Collector to Work with NetIQ eDirectory LDAP Servers

Workflow to configure the Identity Collector to work with NetIQ eDirectory LDAP servers:

In SmartConsole, configure the Identity Awareness Gateway to work with NetIQ eDirectory LDAP server.
In the Identity Collector, add a new NetIQ eDirectory LDAP Server.
In the Identity Collector, add a new Query Pool, or edit an existing Query Pool.
In the Identity Collector, add a new Filter for the login events, or edit an existing Filter.
Connect the Identity Collector to the Check Point Identity Server (Identity Awareness Gateway).

Note - Check Point only supports user authentication for NetIQ eDirectory.

To configure the Identity Awareness Gateway to work with NetIQ eDirectory LDAP server:

Step	Instructions
1	In SmartConsole, configure the Security Gateway that will act as Identity Awareness Identity Server: Open the Security Gateway object. Enable the Identity Awareness Software Blade. The Identity Awareness Configuration Wizard opens. On the Methods For Acquiring Identity page, select Browser-Based Authentication or Terminal Servers and click Next. You can disable this Identity Source later. On the Integration With Active Directory page, select I do not wish to configure the Active Directory at this time and click Next. Click Finish. The Identity Awareness Configuration Wizard closes. From the left navigation tree, go to the Identity Awareness page. Select Identity Collector. Near the Identity Collector, click Settings to configure: Client Access Permissions - though which interfaces Identity Collector client can access Security Gateway Authorized Clients - which computers with installed Identity Collector can access Security Gateway Selected Shared Secret - to configure in Identity Collector for this Security Gateway Authentication Settings - how to authenticate users Click OK to close the Identity Collector Settings window.
2	In SmartConsole, create a new Host object to represent your NetIQ eDirectory LDAP server: In the top left corner, click Objects > New Host. Configure the object name and IP address. Click OK.
3	In SmartConsole, create a new LDAP Account Unit object to represent the NetIQ eDirectory LDAP server, which manages the identities: In the top left corner, click Objects > Object Explorer. The Object Explorer window opens. In the left navigation tree, click Servers. From the toolbar, click New > Server > LDAP Account Unit. The LDAP Account Unit Properties window opens.
4A	Configure the new LDAP Account Unit object that represents the NetIQ eDirectory LDAP server: Go to the General tab. In the Name field, enter the desired object name (for example, `mycompany.com_LDAP_ACC_UNIT`). In the Profile field, select Novell_DS. In the Prefix field, enter your domain name (for example, `mycompany.com`). In the Account Unit usage section, select all the options. In the Additional configuration section, select Enable Unicode support.
4B	Continue the configuration of the new LDAP Account Unit object that represents the NetIQ eDirectory LDAP server: Go to the Servers tab. Click Add. The LDAP Server Properties window opens. Go to the General tab. In the Host field, select the host object you created for this LDAP server in Step 2 above. In the Username field, enter the username for this LDAP server (for example, `John.Smith`). In the Login DN field, enter the user's distinguished name (DN) for this LDAP server (see RFC1779). Note - Refer to the official NetIQ documentation. For example, use the `ldapsearch` command. In the Password field, enter the password for this LDAP server. In the Confirm password field, enter the password again. Click OK to close the LDAP Server Properties window. Note - The order, in which these LDAP Servers are shown, is also the default order, in which they will be queried. You can configure the desired priority for these LDAP Servers.
4C	Continue the configuration of the new LDAP Account Unit object that represents the NetIQ eDirectory LDAP server: Go to the Objects Management tab. In the Server to connect field, select the host object you created for this LDAP server in Step 2 above. Fetch or manually add the branch(es). The branch name is the suffix of the Login DN that begins with `DC=`. For example, if the Login DN is `CN=John.Smith,CN=Users,DC=mycompany,DC=com` then the branch name is `DC=mycompany,DC=com`
4D	Continue the configuration of the new LDAP Account Unit object that represents the NetIQ eDirectory LDAP server: (Optional) Go to the Authentication tab. Clear Use common group path for queries. In the Allowed authentication schemes section, select all the options. In the Users' default values section: Clear Use user template. Select Default authentication scheme > Check Point Password.
4E	Complete the configuration of the new LDAP Account Unit object that represents the NetIQ eDirectory LDAP server: Click OK to close the LDAP Account Unit Properties window.
5	In SmartConsole, install the Access Policy on the Identity Awareness Gateway that acts as Identity Server.

To add a NetIQ eDirectory Server as an Identity Source:

Step	Description
1	Open the Identity Collector application.
2	From the left navigation toolbar, click Identity Sources.
3	From the top toolbar, click New Source > eDirectory.
4	Enter the eDirectory Server information: Object Name - Enter the NetIQ eDirectory Server name to show in the Identity Collector. Domain - Select the NetIQ eDirectory domain, or click New Domain to configure a New Domain: Domain Name - Enter the NetIQ eDirectory Domain name to show in the Identity Collector. (Optional) Enter your comment. Username - Enter the NetIQ eDirectory username DN. Password - Enter the password for the given NetIQ eDirectory username. Click OK to close the New Domain window. IP address - Enter the NetIQ eDirectory Server IP address. Port - Enter the NetIQ eDirectory LDAP port (default is 389, SSL default is 636). Site - (Optional) Enter the NetIQ eDirectory site. Base DN - (Optional) Enter the queried base DN (for example, `o=corp`). LDAP over SSL - (Optional) Select for using LDAP over SSL.
5	Click OK to close the New eDirectory Server window.

To add or edit a Query Pool in the Identity Collector:

See Working with Query Pools in the Identity Collector.

To add or edit a Filter for login events in the Identity Collector:

See Working with Filters for Login Events in the Identity Collector.

To connect the Identity Collector to the Check Point Identity Server (Identity Awareness Gateway):

See Connecting the Identity Collector to the Identity Awareness Gateway.

Identity Collector Alias Feature

Sometimes, a Domain Controller sends events with domain names that are not the NetBIOS or the FQDN names. When this occurs, the Identity Awareness Gateway does not know the domain and drops the association. The Alias feature of the Identity Collector resolves this issue.

To enable Alias feature on the Identity Collector client computer:

Go to this folder:
C:\ProgramData\CheckPoint\IdentityCollector\
Create a new configuration file:
DomainDictionaryAliases.cfg
The structure of the configuration file must be as follows:
<name from which to convert>=<name to which to convert>

Notes:
- There is no space between the equal sign and the name of the domain or the alias name.
- Each line shows one conversion.
Example:

If the nickname of "something.com" is "someone", add this line in the file: someone=something.com

This way, if an event contains the "someone" domain, the domain name will change to "something.com".
Save the changes in the file.
Restart the Identity Collector service:
- Service Name: IDCService
- Service Display Name: Check Point Identity Collector

Identity Collector Advanced Configuration

In the Identity Collector client, from the left navigation toolbar, click Settings.

Category	Setting	Description
Activity Log		Logs the date and time of activities done in the Identity Collector. This log is cleared every time the Identity Collector GUI restarts.
Settings > Identity Reporting	Association time-to-live	How long this association lives on the PDP Identity Awareness Gateway. The default is 720 minutes, or 12 hours.
	Cache time-to-live	The cache saves associations (username-to-IP address) that the Identity Collector creates for a specified time. If the event occurs again during that time, the Identity Collector does not send the event to the Identity Awareness Gateway again. The default is 300 seconds, or 5 minutes.
	Ignore machine identities	If you select this option, the Identity Collector does not send computer associations, only user associations. By default, this option is cleared.
	Ignore RDP events	When Remote Desktop login occurs, 2 login events occur in the Domain Controller with the same username, but different IP addresses: the computer, from which login was made, and the computer, to which the login was made. If you select this option (this is the default), the Identity Collector ignores the IP address of the computer, from which login was made, because it is redundant.
	Clear Cache	Clears all the entries saved in the cache. The Identity Collector will create new cache entries when it receives new associations.
Settings > Debugging		Lets you configure the debug topics and severity of collected internal messages in the Identity Collector. Location of the output files is configured in this file: `C:\ProgramData\CheckPoint\IdentityCollector\ServiceDebugPath.cfg` The output files are: `{LOCATION}\ia_ag.log` `{LOCATION}\ia_idcgui_0.log` `{LOCATION}\ia_ag_tracker.log` `{LOCATION}\IDCLogs\ia_IDC_xxx.log`
Settings > ISE Servers	Session Keep-alive	The Identity Collector goes over its internal Cisco ISE sessions database every configured interval. If Identity Collector finds expired sessions, it queries the Cisco ISE Server to see if the session is still alive. Then Identity Collector updates the Identity Awareness Gateway accordingly. This value sets the interval, during which this occurs. The default is 1 minute.
Settings > eDirectory	LDAP Query Interval	This value sets the frequency for Identity Collector to query eDirectory LDAP servers. The default is 20 seconds.
Settings > eDirectory	Initial Fetch Time Frame	This value sets how long Identity Collector waits for eDirectory LDAP servers during initial fetch. The default is 720 minutes, or 12 hours.
Settings > Logins Monitor	Event expiration time	The maximal time that the Logins Monitor Table stores each login record.
	Cache time-to-live	The maximal time between two different login events by the same user or same computer that are treated as one Logins Monitor record.
	Auto refresh time	The interval of time, during which the user interface of the Logins Monitor refreshes its view, when it requests an update of the users' logins records.
	Ignore revoked events	When selected, the Logins Monitor tab only stores and shows the latest login event (both user and computer event) for each IP address.

Identity Collector Ports and Protocols

Direction	Port	Protocol
Identity Collector to Identity Awareness Gateway	443	Proprietary Check Point protocol, over HTTPS. Used for ongoing communication between the agent and the Identity Awareness Gateway.
Identity Collector to Microsoft Active Directory Domain Controller	53	DNS
Identity Collector to Microsoft Active Directory Domain Controller	389	LDAP
Identity Collector to Microsoft Active Directory Domain Controller	636	LDAPS
Identity Collector to Microsoft Active Directory Domain Controller	135, and dynamically allocated ports	* DCOM protocol, which makes extensive use of DCE/RPC.
Identity Collector to Cisco ISE Server	5222	Session subscribe. Gets notifications of new login or logout events from the Cisco ISE Server.
Identity Collector to Cisco ISE Server	8910	Bulk session download. Fetches all the active sessions from the Cisco ISE Server.

* DCOM uses DCE/RPC. If the Active Directory Domain Controller uses Windows Firewall, you must configure it to allow Identity Collector traffic: enable Remote Event Log Management > Remote Event Log Management (RPC).

Identity Collector Optimization

Exclude multi-user machines

After the Identity Collector works for a while, you can check how many multi-user computers there are, and add them to the Network Exclusion List. To do so, enter this command on the Identity Awareness Gateway CLI:

pdp idc muh show

Exclude service accounts

After the Identity Collector works for a while, you can see how many service accounts there are, and add them to the Identity Exclusion List. To do so, enter this command on the Identity Awareness Gateway CLI:

pdp idc service_accounts

Consolidate Groups

If the Identity Awareness Gateway receives the user groups from the Cisco Identity Collector (SGT), it does not try to fetch them from the user directory. If you enable group consolidation, the Identity Awareness Gateway fetches the group even if it receives groups from the Identity Collector:

pdp idc groups_consolidation show