Configuring Identity Logging for a Log Server

When you enable Identity AwarenessClosed Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. on a Log ServerClosed Dedicated Check Point server that runs Check Point software to store and process logs., you add user and computer identification to Check Point logs. Administrators can then analyze network traffic and security-related events better.

The Log Server communicates with Active Directory servers. The Log Server stores the data extracted from the AD in an association map. When Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. generate a Check Point log entry and send it to the Log Server, the server gets the user and computer name from the association map entry that corresponds to the source IP address of the event log. It then adds this identity aware information to the log.

Enabling Identity Awareness on the Log Server for Identity Logging

Preliminary Actions

Before you enable Identity Awareness on the Log Server for Identity LoggingClosed Check Point Software Blade on a Management Server to view Identity Logs from the managed Security Gateways with enabled Identity Awareness Software Blade.:

  • Make sure there is network connectivity between the Log Server and the domain controller of your Active Directory environment.

  • Get the Active Directory administrator credentials.

To enable Identity Awareness on the Log Server for Identity Logging, you must:

  1. Configure an Active Directory Domain.

  2. Install the database.

Procedure:

  1. Log in to SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

  2. From the Navigation Toolbar, click Gateways & Servers.

  3. Open the Log Server object.

  4. In the General Properties page, in the Management section, select Logging & StatusClosed Check Point Software Blade on a Management Server to view Security Logs from the managed Security Gateways. and Identity Logging.

    The Identity Awareness Configuration wizard opens.

  5. On the Acquire Identities For Logs window, click OK.

Configuring an Active Directory Domain

On the Integration With Active Directory page, select or configure an Active DirectoryDomain.

  1. From the Select an Active Directory list, select the Active Directory to configure from the list that shows configured LDAP Account Units or create a new domain. If you have not set up Active Directory, it is necessary to enter a domain name, username, password and domain controller credentials.

    When the SmartConsole client computer is part of the AD domain, SmartConsole suggests this domain automatically. If you select this domain, the system creates an LDAP Account Unit with all of the domain controllers in the organization's Active Directory.

  2. Enter the Active Directory credentials and click Connect to verify the credentials.

  3. If you selected Browser-Based Authentication or Terminal Servers, or do not configure Active Directory, select I do not wish to configure Active Directory at this time.

  4. Click Next.

    >

    Best Practice -We highly recommend that you go to the LDAP Account Unit and make sure that only necessary domain controllers are in the list. If AD Query is not necessary to work with some of the domain controllers, erase them from the LDAP Servers list.

    With the Identity Awareness configuration wizard, you can use existing LDAP Account units or create a new one for one AD domain.

    If the SmartConsole computer is part of the domain, the Wizard fetches all the domain controllers of the domain and all of the domain controllers are configured.

    If you create a new domain, and the SmartConsole computer is not part of the domain, the LDAP Account Unit that the system creates contains only the domain controller you set manually. If it is necessary for AD Query to fetch data from other domain controllers, you must add them manually to the LDAP Servers list after you complete the wizard.

    To see/edit the LDAP Account Unit object, open Object Explorer (Ctrl + E), and select Servers > LDAP Account units in the Categories tree.

    The LDAP Account Unit name syntax is: <domain name>__AD

    For example, CORP.ACME.COM__AD.

  5. Click Next.

  6. The Identity Awareness is Now Active page opens with a summary of the acquisition methods.

  7. Click Finish.

  8. Optional: In the Log Server object, go to the Identity Awareness page and configure the applicable settings.

  9. Click OK.

Installing the Database

  1. In SmartConsole, go to Menu and click Install database.

    The Install Database window opens.

  2. Select all Check Point objects on which to install the database.

  3. In the Install database window, click Install.

  4. In the SmartConsole window, click Publish & Install.

  5. Wait for the message Install Database on XXX Succeeded at the end of the operation.

WMI Performance

Bandwidth between the Log Server and Active Directory Domain Controllers

The quantity of data transferred between the Log Server and domain controllers depends on the quantity of events generated. The generated events include event logs and authentication events. The quantities change based on the applications that run in the network. Programs that have many authentication requests have a larger quantity of logs. The observed bandwidth range varies between 0.1 to 0.25 Mbps for each 1000 users.

CPU Impact

When using AD Query, the impact on the domain controller CPU is less than 3%.