adlogconfig

Description

Configures advanced AD Query Check Point clientless identity acquisition tool. It is based on Active Directory integration and it is completely transparent to the user. The technology is based on querying the Active Directory Security Event Logs and extracting the user and computer mapping to the network address from them. It is based on Windows Management Instrumentation (WMI), a standard Microsoft protocol. The Check Point Security Gateway communicates directly with the Active Directory domain controllers and does not require a separate server. No installation is necessary on the clients, or on the Active Directory server. (formerly AD Log) settings through a text menu.

Each setting has a default value.

If you change the default value or manually configure the default value, then the change is saved in the $FWDIR/conf/ad_log_override.C file.

Syntax

On a Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / each Cluster Member Security Gateway that is part of a cluster. / Security Group, run:

adlogconfig a

On a Log Server Dedicated Check Point server that runs Check Point software to store and process logs. with Identity Logging Check Point Software Blade on a Management Server to view Identity Logs from the managed Security Gateways with enabled Identity Awareness Software Blade. enabled, run:

adlogconfig l

Note - Menu options in the "adlogconfig a" and "adlogconfig l" commands are identical.

Important:

In a Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., you must configure all the Cluster Members in the same way.
On Scalable Platforms (Maestro and Chassis), you must run the applicable commands in the Expert mode on the applicable Security Group.
In the VSNext / Legacy VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. mode, you must run the applicable commands in to the context of the applicable Virtual Gateway / Legacy Virtual System (vsenv <VS ID>).

Default Output

[ ] Override default AD Query configuration
   [ ] Enable AD Query
      [ ] Create logs also for logoff events
      [ ] Create logs with timestamp from AD
          Timeout for username-and-IP association (minutes, 0=disabled): 0
          Interval for fetching Full Name for known users (days, 0=disabled): 0
          Hour of the day for fetching Full Name for known users (0=disabled): 0
          Threshold for Multi-User Host detection (logged in users): 7
          Timeout for revoked users on single user hosts (seconds): 14400
      [X] Mark hosts as Multi-User Hosts after X users logged in
          Timeout for Multi-User Host mark (seconds): 2592000
          Threshold for Service Account detection (logins): 10
      [ ] Automatically exclude Service Accounts
[ ] Override default parameters for AD communication
          Interval between AD queries for login events (seconds, 0=disabled): 0
          Max returned objects for each AD query data chunk (0=unlimited): 0
[ ] Ignore login events received from other AD Domains
[X] Do not check if AD password expired
[ ] AD authentication mode
   [ ] Use NTLMv1
   [X] Use NTLMv2
[ ] Assume that all hosts are for single users
[ ] Ignore hostnames of users' computers
[X] Use automatic AD updates about LDAP groups membership
          Timeout for accumulating LDAP group updates (seconds): 10
      [X] Use LDAP group updates about users only
[ ] Prefer IPv6 addresses for Domain Controllers
[1] WMI query Type

====================================================

 1 - Use / Do not use the AD Query 'override' file
 2 - Enable / Disable the AD Query feature
 3 - Create logs also for logoff events
 4 - Create logs with timestamp from AD
 5 - Timeout for username-and-IP association
 6 - Query interval (in days) for fetching Full Name for known users
 7 - Query hour of the day for fetching Full Name for known users
 8 - Add AD Domain and its Domain Controllers
 9 - Delete AD Domain and its Domain Controllers
10 - Reconfigure AD username
11 - Reconfigure AD Password
12 - Reconfigure AD Domain Controllers
13 - Number of logged in users for Multi-User Host detection
14 - Timeout for revoked users on single user hosts
15 - Mark / Do not mark hosts as Multi-User Hosts after X users logged in
16 - Timeout for Multi-User Host mark
17 - Override / Do not override parameters for communication with AD
18 - Interval between AD queries for login events
19 - Max returned objects per data chunk in each AD query for login events
20 - Check / Do not check if AD password expired (every 24 hrs)
21 - AD authentication mode - NTLMv1 / NTLMv2
22 - Assume / Do not assume that all hosts are for single users
23 - Threshold for Service Account detection
24 - Ignore / Do not ignore login events received from other AD Domains
25 - Exclude / Do not exclude Service Accounts automatically from user association
26 - Ignore / Do not ignore hostnames of users' computers
27 - Ignore / Do not ignore automatic AD updates about LDAP groups membership
28 - Timeout for accumulating LDAP group updates
29 - Use LDAP group updates about users only / about all changes
30 - Prefer / Do not prefer IPv6 addresses for Domain Controllers
31 - WMI query type
32 - Exit without saving
33 - Save configuration and exit

Enter the option number:

Explanations for the top section of the menu

Explanations

Option (with the default value)	Description
`[ ] Override default AD Query configuration`	Shows whether this option is enabled: 1 - Use / Do not use the AD Query 'override' file
`[ ] Enable AD Query`	Shows whether this option is enabled: 2 - Enable / Disable the AD Query feature
`[ ] Create logs also for logoff events`	Shows whether this option is enabled: 3 - Create logs also for logoff events
`[ ] Create logs with timestamp from AD`	Shows whether this option is enabled: 4 - Create logs with timestamp from AD
`Timeout for username-and-IP association (minutes, 0=disabled): 0`	Shows the value that was configured with this option: 5 - Timeout for username-and-IP association
`Interval for fetching Full Name for known users (days, 0=disabled): 0`	Shows the value that was configured with this option: 6 - Query interval (in days) for fetching Full Name for known users
`Hour of the day for fetching Full Name for known users (0=disabled): 0`	Shows the value that was configured with this option: 7 - Query hour of the day for fetching Full Name for known users
`Threshold for Multi-User Host detection (logged in users): 7`	Shows the value that was configured with this option: 13 - Number of logged in users for Multi-User Host detection
`Timeout for revoked users on single user hosts (seconds): 14400`	Shows the value that was configured with this option: 14 - Timeout for revoked users on single user hosts
`[X] Mark hosts as Multi-User Hosts after X users logged in`	Shows whether this option is enabled: 15 - Mark / Do not mark hosts as Multi-User Hosts after X users logged in
`Timeout for Multi-User Host mark (seconds): 2592000`	Shows the value that was configured with this option: 16 - Timeout for Multi-User Host mark
`Threshold for Service Account detection (logins): 10`	Shows the value that was configured with this option: 23 - Threshold for Service Account detection
`[ ] Automatically exclude Service Accounts`	Shows whether this option is enabled: 25 - Exclude / Do not exclude Service Accounts automatically from user association
`[ ] Override default parameters for AD communication`	Shows whether this option is enabled: 17 - Override / Do not override parameters for communication with AD
`Interval between AD queries for login events (seconds, 0=disabled): 0`	Shows the value that was configured with this option: 18 - Interval between AD queries for login events
`Max returned objects for each AD query data chunk (0=unlimited): 0`	Shows the value that was configured with this option: 19 - Max returned objects per data chunk in each AD query for login events
`[ ] Ignore login events received from other AD Domains`	Shows whether this option is enabled: 24 - Ignore / Do not ignore login events received from other AD Domains
`[X] Do not check if AD password expired`	Shows whether this option is enabled: 20 - Check / Do not check if AD password expired (every 24 hrs)
`[ ] AD authentication mode`	Always appears as cleared "`[ ]`"
`[ ] Use NTLMv1`	Shows whether "`NTLMv1`" was selected with this option: 21 - AD authentication mode - NTLMv1 / NTLMv2
`[X] Use NTLMv2`	Shows whether "`NTLMv21`" was selected with this option: 21 - AD authentication mode - NTLMv1 / NTLMv2
`[ ] Assume that all hosts are for single users`	Shows whether this option is enabled: 22 - Assume / Do not assume that all hosts are for single users
`[ ] Ignore hostnames of users' computers`	Shows whether this option is enabled: 26 - Ignore / Do not ignore hostnames of users' computers
`[X] Use automatic AD updates about LDAP groups membership`	Shows whether this option is enabled: 27 - Ignore / Do not ignore automatic AD updates about LDAP groups membership
`Timeout for accumulating LDAP group updates (seconds): 10`	Shows the value that was configured with this option: 28 - Timeout for accumulating LDAP group updates
`[X] Use LDAP group updates about users only`	Shows whether this option is enabled: 29 - Use LDAP group updates about users only / about all changes
`[ ] Prefer IPv6 addresses for Domain Controllers`	Shows whether this option is enabled: 30 - Prefer / Do not prefer IPv6 addresses for Domain Controllers
`[1] WMI query Type`	Shows the value that was configured with this option: 31 - WMI query type

Explanations for the bottom section of the menu

1 - Use / Do not use the AD Query 'override' file

Description:

Specifies whether to use the non-default settings from the $FWDIR/conf/ad_log_override.C file that you configure in this menu.

Default: disabled (does not use this file).

Configuration in the $FWDIR/conf/ad_log_override.C file:

Item	Value
Parameter type	Boolean
Default implicit value	`:Override (false)`
Non-Default explicit value	`:Override (true)`

2 - Enable / Disable the AD Query feature

Description:

Specifies whether to use the non-default AD Query (formerly AD Log) settings that you configure in this menu.

Default: disabled (does not use the values configured in the $FWDIR/conf/ad_log_override.C file).

Configuration in the $FWDIR/conf/ad_log_override.C file:

Item	Value
Parameter type	Boolean
Default implicit value	`:EnableAdLog (false)`
Non-Default explicit value	`:EnableAdLog (true)`

3 - Create logs also for logoff events

Description:

Specifies whether the Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Gateway needs to create a log for a logoff event in addition to a login event.

Default: disabled (does not create logs for logoff events).

Configuration in the $FWDIR/conf/ad_log_override.C file:

Item	Value
Parameter type	Boolean
Default implicit value	`:EnableLogForLoginOrLogoff (false)`
Non-Default explicit value	`:EnableLogForLoginOrLogoff (true)`

4 - Create logs with timestamp from AD

Description:

Specifies whether to use the time when the event was created on the Active Directory (original creation time) instead of the time when the event is handled on the Identity Awareness Gateway.

Default: disabled (does not use the timestamp from the Active Directory).

Configuration in the $FWDIR/conf/ad_log_override.C file:

Item	Value
Parameter type	Boolean
Default implicit value	`:UseLogOriginalCreationTime (false)`
Non-Default explicit value	`:UseLogOriginalCreationTime (true)`

5 - Timeout for username-and-IP association

Description:

Specifies the timeout (in minutes) for the association of the user's IP address and the username.

Default: 0 (disabled).

Configuration in the $FWDIR/conf/ad_log_override.C file:

Item	Value
Parameter type	Integer
Default implicit value	`:AssociationTimeout (0x0)`
Non-Default explicit value	`:AssociationTimeout (0x<Hex Number>)`

6 - Query interval (in days) for fetching Full Name for known users

Description:

Specifies the interval (in days) for fetching the full name of the known users from Active Directory.

Default: 0 days (disabled).

Configuration in the $FWDIR/conf/ad_log_override.C file:

Item	Value
Parameter type	Integer
Default implicit value	`:FullNameQueryInterval (0x0)`
Non-Default explicit value	`:FullNameQueryInterval (0x<Hex Number>)`

7 - Query hour of the day for fetching Full Name for known users

Description:

Specifies the round hour of the day for fetching the full name of the known users from Active Directory.

Default: 0 days (disabled).

Configuration in the $FWDIR/conf/ad_log_override.C file:

Item	Value
Parameter type	Integer
Default implicit value	`:FullNameFetchHour (0x0)`
Non-Default explicit value	`:FullNameFetchHour (0x<Hex Number>)`

8 - Add AD Domain and its Domain Controllers

Description:

Specifies the Active Directory Domain, Domain Controllers, Username, and Password.

Configuration in the $FWDIR/conf/ad_log_override.C file:

Item	Value
Parameter type	String

Example:

:Domains (
        : (
                :DomainName (example.com)
                :Username (admin)
                :Password (<Hashed Password>)
                :DomainControllers (
                        : (dc1.example.com)
                        : (dc2.example.com)
                )
        )
)

13 - Number of logged in users for Multi-User Host detection

Description:

Specifies the number of logged on users from the same IP address, after which this IP address is considered a Multi-User Host (MUH) computer.

Default: 7 users.

Configuration in the $FWDIR/conf/ad_log_override.C file:

Item	Value
Parameter type	Integer
Default implicit value	`:MultiUserThreshold (0x7)`
Non-Default explicit value	`:MultiUserThreshold (0x<Hex Number>)`

14 - Timeout for revoked users on single user hosts

Description:

Note - Applies only when you enable this option:

22 - Assume / Do not assume that all hosts are for single users

Specifies the time interval, during which the Identity Awareness Gateway ignores an association of a previously logged in user on a computer to a new IP address.

This means that during this interval, the previously logged in users cannot pass traffic through the Identity Awareness Gateway if they log in on a different computer.

Default: 14400 seconds (240 minutes).

Configuration in the $FWDIR/conf/ad_log_override.C file:

Item	Value
Parameter type	Integer
Default implicit value	`:RevokedUserTimout (0x3840)`
Non-Default explicit value	`:RevokedUserTimout (0x<Hex Number>)`

15 - Mark / Do not mark hosts as Multi-User Hosts after X users logged in

Description:

If you disable this option, then the Identity Awareness Gateway does not mark a source IP address as a Multi-User Host (MUH) computer when there are more than X users logged in on the computer.

"X" is the value you configure with the option 13 - Number of logged in users for Multi-User Host detection.

Default: enabled (marks a source IP address as a Multi-User Host).

Configuration in the $FWDIR/conf/ad_log_override.C file:

Item	Value
Parameter type	Boolean
Default implicit value	`:DisableMultiUserPersistDB (false)`
Non-Default explicit value	`:DisableMultiUserPersistDB (true)`

16 - Timeout for Multi-User Host mark

Description:

Specifies the time interval, during which the Identity Awareness Gateway keeps a source IP address marked as Multi-User Host (MUH) computer when there are more than X users logged in on the computer.

"X" is the value you configure with the option 13 - Number of logged in users for Multi-User Host detection.

Default: 2592000 seconds (43200 minutes = 720 hours = 30 days)

Configuration in the $FWDIR/conf/ad_log_override.C file:

Item	Value
Parameter type	Integer
Default implicit value	`:MultiUserPersistMachineTimeout (0x278d00)`
Non-Default explicit value	`:MultiUserPersistMachineTimeout (0x<Hex Number>)`

17 - Override / Do not override parameters for communication with AD

Description:

Specifies whether to use the settings configured with these options:

18 - Interval between AD queries for login events
19 - Max returned objects per data chunk in each AD query for login events

Default: disabled (uses the default parameters).

Configuration in the $FWDIR/conf/ad_log_override.C file:

Item	Value
Parameter type	Boolean
Default implicit value	`:QueryWhitinCount (false)`
Non-Default explicit value	`:QueryWhitinCount (true)`

18 - Interval between AD queries for login events

Description:

How frequently (in seconds) the Identity Awareness Gateway asks the Active Directory for login events.

Default: 1 second.

Configuration in the $FWDIR/conf/ad_log_override.C file:

Item	Value
Parameter type	Integer
Default implicit value	`:FullNameQueryInterval (0x0)`
Non-Default explicit value	`:FullNameQueryInterval (0x<Hex Number>)`

19 - Max returned objects per data chunk in each AD query for login events

Description:

When the Identity Awareness Gateway asks the Active Directory for login events, this controls the number of returned users in each data chunk

Default: 100 users per data chunk.

Configuration in the $FWDIR/conf/ad_log_override.C file:

Item	Value
Parameter type	Integer
Default implicit value	`:QueryMaxReturnedObjects (0x64)`
Non-Default explicit value	`:QueryMaxReturnedObjects (0x<Hex Number>)`

20 - Check / Do not check if AD password expired (every 24 hrs)

Description:

Specifies whether to check (every 24 hours) if the password had expired for the account the Identity Awareness Gateway uses to connect to the Active Directory to query for new login events.

Default: disabled (does not check).

Configuration in the $FWDIR/conf/ad_log_override.C file:

Item	Value
Parameter type	Boolean
Default implicit value	`:DisablePassExpCheck (true)`
Non-Default explicit value	`:DisablePassExpCheck (false)`

21 - AD authentication mode - NTLMv1 / NTLMv2

Description:

Controls which authentication mode to use when connecting to Active Directory - NTLMv1 or NTLMv2.

Default: NTLMv2.

Configuration in the $FWDIR/conf/ad_log_override.C file:

Item	Value
Parameter type	Boolean
Default implicit value	`:UseNTLMv2 (true)`
Non-Default explicit value	`:UseNTLMv2 (false)`

22 - Assume / Do not assume that all hosts are for single users

Description:

Specifies whether to keep only one association between the source IP address and the username.

If another user logs in on the same computer, then the new username replaces the previous username in the Identity Awareness Gateway.

Default: disabled (does not assume).

Configuration in the $FWDIR/conf/ad_log_override.C file:

Item	Value
Parameter type	Boolean
Default implicit value	`:SingleUserAssumption (false)`
Non-Default explicit value	`:SingleUserAssumption (true)`

23 - Threshold for Service Account detection

Description:

Specifies the number of a user logins from different IP addresses to identify the user as a Service Account In Microsoft® Active Directory, a user account created explicitly to provide a security context for services running on Microsoft® Windows® Server..

Default:10 logins.

Configuration in the $FWDIR/conf/ad_log_override.C file:

Item	Value
Parameter type	Integer
Default implicit value	`:ServiceAccountThreshold (0xa)`
Non-Default explicit value	`:ServiceAccountThreshold (0x<Hex Number>)`

24 - Ignore / Do not ignore login events received from other AD Domains

Description:

Specifies whether to ignore login events received from different domains than configured for AD Query.

Default: disabled (does not ignore).

Configuration in the $FWDIR/conf/ad_log_override.C file:

Item	Value
Parameter type	Boolean
Default implicit value	`:IgnoreDifferentDomains (false)`
Non-Default explicit value	`:IgnoreDifferentDomains (true)`

25 - Exclude / Do not exclude Service Accounts automatically from user association

Description:

Controls whether to exclude Service Accounts from user association.

Default: disabled (does not exclude).

Configuration in the $FWDIR/conf/ad_log_override.C file:

Item	Value
Parameter type	Boolean
Default implicit value	`:ExcludeServiceAccounts (false)`
Non-Default explicit value	`:ExcludeServiceAccounts (true)`

26 - Ignore / Do not ignore hostnames of users' computers

Description:

Controls whether to ignore the hostname of the computer, on which a user logged in.

Default: disabled (does not ignore).

Configuration in the $FWDIR/conf/ad_log_override.C file:

Item	Value
Parameter type	Boolean
Default implicit value	`:DontReportMachines (false)`
Non-Default explicit value	`:DontReportMachines (true)`

27 - Ignore / Do not ignore automatic AD updates about LDAP groups membership

Description:

Controls whether to ignore the automatic Active Directory updates about LDAP groups membership.

Default: enabled (does not ignore).

Configuration in the $FWDIR/conf/ad_log_override.C file:

Item	Value
Parameter type	Boolean
Default implicit value	`:LdapGroupsUpdateEnable (true)`
Non-Default explicit value	`:LdapGroupsUpdateEnable (false)`

28 - Timeout for accumulating LDAP group updates

Description:

Note - Applies only when you enable this option:

27 - Ignore / Do not ignore automatic AD updates about LDAP groups membership

Controls the amount of time (in seconds) during which the Identity Awareness Gateway accumulates LDAP group notifications before recalculating the users' access.

Default: 10 seconds.

Configuration in the $FWDIR/conf/ad_log_override.C file:

Item	Value
Parameter type	Integer
Default implicit value	`:LdapGroupsUpdateDelay (0x0)`
Non-Default explicit value	`:LdapGroupsUpdateDelay (0x<Hex Number>)`

29 - Use LDAP group updates about users only / about all changes

Description:

Warning - If you disable the default behavior, the CPU load on the Identity Awareness Gateway increases significantly.

Note - Applies only when you enable this option:

27 - Ignore / Do not ignore automatic AD updates about LDAP groups membership

Controls whether to process LDAP group notifications only for changes related to users, or process all LDAP group notifications.

Default: enabled (uses notifications only for changes related to users).

Configuration in the $FWDIR/conf/ad_log_override.C file:

Item	Value
Parameter type	Boolean
Default implicit value	`:LdapGroupsUpdateAll (false)`
Non-Default explicit value	`:LdapGroupsUpdateAll (true)`

30 - Prefer / Do not prefer IPv6 addresses for Domain Controllers

Description:

Specifies whether to use IPv6 addresses if a DNS query for the specified domain controllers returns IPv4 addresses and IPv6 addresses.

Default: disabled (does not prefer).

Configuration in the $FWDIR/conf/ad_log_override.C file:

Item	Value
Parameter type	Boolean
Default implicit value	`:PreferIPv6DCAddresses (false)`
Non-Default explicit value	`:PreferIPv6DCAddresses (true)`

31 - WMI query type

Description:

Specifies the WMI Query Type for Active Directory.

Default: 1.

WMI Query Type ID

WMI Query Name

WMI Query Description

Admin query

Regular Query.

Includes reading forwarded security events logs.

Requires the account to be a member of the "Server Operators" group.

Fallback from Admin query to non-Admin query

Fallback Configuration.

Identity Awareness Gateway will first try the default regular query, and in case it fails following a WMI permissions error, it will try the Non-Admin query (reduced query).

Non-Admin query

Reduced Query.

Identity Awareness Gateway will always use the query without forwarded events.

Membership in the "Server Operators" group is not needed.

Important - Using the reduced query in Active Directory environments, in which forwarding of security event logs between Domain Controllers is configured, might lead to missing relevant security event logs. As a result, some users and/or machines may not be recognized.

Configuration in the $FWDIR/conf/ad_log_override.C file:

Item	Value
Parameter type	Integer
Default implicit value	`:WmiQueryType (0x1)`
Non-Default explicit value	`:WmiQueryType (0x<Hex Number>)`