Configuring Identity Logging for a Log Server

When you enable Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. on a Log Server Dedicated Check Point server that runs Check Point software to store and process logs., you add user and computer identification to Check Point logs. Administrators can then analyze network traffic and security-related events better.

The Log Server communicates with Active Directory servers. The Log Server stores the data extracted from the AD in an association map. When Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. generate a Check Point log entry and send it to the Log Server, the server gets the user and computer name from the association map entry that corresponds to the source IP address of the event log. It then adds this identity aware information to the log.

Enabling Identity Awareness on the Log Server for Identity Logging

Preliminary Actions

Before you enable Identity Awareness on the Log Server for Identity Logging Check Point Software Blade on a Management Server to view Identity Logs from the managed Security Gateways with enabled Identity Awareness Software Blade.:

• Make sure there is network connectivity between the Log Server and the domain controller of your Active Directory environment.

• Get the Active Directory administrator credentials.

Enabling Procedure

1. Log in to SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

2. From the Navigation Toolbar, click Gateways & Servers.

3. Open the Log Server object.

4. In the General Properties page, in the Management section, select Logging & Status Check Point Software Blade on a Management Server to view Security Logs from the managed Security Gateways. and Identity Awareness.

   The Identity Awareness Configuration wizard opens.

5. On the Acquire Identities For Logs window, click OK.

6. On the Integration With Active Directory page, select or configure an Active Directory Domain.

   1. From the Select an Active Directory list, select the Active Directory to configure from the list that shows configured LDAP Account Units or create a new domain. If you have not set up Active Directory, you need to enter a domain name, username, password and domain controller credentials.

      When the SmartConsole client computer is part of the AD domain, SmartConsole suggests this domain automatically. If you select this domain, the system creates an LDAP Account Unit with all of the domain controllers in the organization's Active Directory.

   2. Enter the Active Directory credentials and click Connect to verify the credentials.
      Important - For AD Query Check Point clientless identity acquisition tool. It is based on Active Directory integration and it is completely transparent to the user. The technology is based on querying the Active Directory Security Event Logs and extracting the user and computer mapping to the network address from them. It is based on Windows Management Instrumentation (WMI), a standard Microsoft protocol. The Check Point Security Gateway communicates directly with the Active Directory domain controllers and does not require a separate server. No installation is necessary on the clients, or on the Active Directory server. you must enter domain administrator credentials. For Browser-Based Authentication Authentication of users in Check Point Identity Awareness web portal - Captive Portal, to which users connect with their web browser to log in and authenticate. standard credentials are sufficient.

   3. If you selected Browser-Based Authentication or Terminal Servers, or do not wish to configure Active Directory, select I do not wish to configure Active Directory at this time and click Next.

   >

   Best Practice -We highly recommend that you go to the LDAP Account Unit and make sure that only necessary domain controllers are in the list. If AD Query is not required to operate with some of the domain controllers, delete them from the LDAP Servers list. With the Identity Awareness configuration wizard, you can use existing LDAP Account units or create a new one for one AD domain. If the SmartConsole computer is part of the domain, the Wizard fetches all the domain controllers of the domain and all of the domain controllers are configured. If you create a new domain, and the SmartConsole computer is not part of the domain, the LDAP Account Unit that the system creates contains only the domain controller you set manually. If it is necessary for AD Query to fetch data from other domain controllers, you must add them later manually to the LDAP Servers list after you complete the wizard. To view/edit the LDAP Account Unit object, open Object Explorer (Ctrl + E), and select Servers > LDAP Account units in the Categories tree. The LDAP Account Unit name syntax is: <domain name>__AD For example, CORP.ACME.COM__AD.

7. Click Next.

8. The Identity Awareness is Now Active page opens with a summary of the acquisition methods.

9. Click Finish.

10. Optional: In the Log Server object, go to the Identity Awareness page and configure the applicable settings.

11. Click OK.

12. Install the database

    1. In SmartConsole, go to Menu > click Install database.

    2. The Install Database window appears.

    3. Select all Check Point objects, on which to install the database.

    4. In the Install database window, click Install.

    5. In the SmartConsole window, click Publish & Install.

    6. The operation should end with the message Install Database on XXX Succeeded.

WMI Performance

Bandwidth between the Log Server and Active Directory Domain Controllers

The amount of data transferred between the Log Server and domain controllers depends on the amount of events generated. The generated events include event logs and authentication events. The amounts vary according to the applications running in the network. Programs that have many authentication requests result in a larger amount of logs. The observed bandwidth range varies between 0.1 to 0.25 Mbps per each 1000 users.

CPU Impact

When using AD Query, the impact on the domain controller CPU is less than 3%.