topic Re: Identity Awareness - Identity Collector monitoring in Firewall and Security Management

Identity Awareness - Identity Collector monitoring

Sorin_Gogean — Tue, 11 May 2021 07:52:19 GMT

Hello everyone,

We're about to start using Identity Awareness with Identity Collectors (redundant and everything else), and one problem we're were noticing is that we did not see any ways to monitor Identity Collector .

Like the connection to AD servers, or connection to ISE servers or even GW's .

Are you aware of any ways to achieve this ? or are there any MIB's for GW's through where we can get IA status and eventual errors ?

Thank you,

PS: there is another topic IA Monitoring that we will try in a similar way, but still

Re: Identity Awareness - Identity Collector monitoring

PhoneBoy — Mon, 17 May 2021 04:24:51 GMT

The identity collector itself? I don't think so.
That said if you're not seeing identities flow on the gateway, that would be a sign of an issue.
This SK suggests a possible MIB to query: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk139152&partition=Advanced&product=Identity

Re: Identity Awareness - Identity Collector monitoring

Sorin_Gogean — Mon, 17 May 2021 06:51:59 GMT

Morning,

Currently we don't have any issues with the identity flow to the GW, but we are looking into a way to monitor this.

We are testing for now the SNMP monitoring of IA/IC through the GW, and that provides us with details on the sources connected to the IC (DC or pxGrid/ISE) . So we should be able to alert and take actions in case somethings shows up.

Thank you,

(As example from similar SNMP implementation)

Re: Identity Awareness - Identity Collector monitoring

PhoneBoy — Mon, 17 May 2021 20:40:48 GMT

There doesn't seem to be an obvious way to monitor this directly.
That said, you should see an active TCP connection on the gateway from the Identity Collector.
Maybe we need additional instrumentation here?
@Royi_Priov

Re: Identity Awareness - Identity Collector monitoring

Royi_Priov — Tue, 18 May 2021 07:20:02 GMT

Hi @Sorin_Gogean ,

There are monitoring capabilities to IDC.

Please check sk108235, under "Monitoring capability" section - as @PhoneBoy wrote above.

The SNMP OIDs are mentioned in $FWDIR/conf/identity_server.cps

I suggest first to see the feature is working as needed with "pdp idc status" command.

As for direct monitoring mechanism, there isn't. However, since IDC worth nothing without the PDP gateway getting the info from IDC, I personally don't think we need to add something to IDC itself.

Re: Identity Awareness - Identity Collector monitoring

Sorin_Gogean — Wed, 19 May 2021 05:28:32 GMT

Morning everyone,

Like Royi said, we are monitoring via SNMP from the PDP (our GW) that shows the sources detail received from IDC (sorry for the confusion) .

We're getting all the information from the table OID .1.3.6.1.4.1.2620.1.38.53.... with all it's members ("Identity Collector Sources") .

That covers our current needs .

Thank you and have a nice week,

Re: Identity Awareness - Identity Collector monitoring

Tiago_Cerqueira — Sat, 24 Jul 2021 10:28:15 GMT

Hi,

I'm also looking into this OID for monitoring, but I would like to monitor the total number of events sent from the IDC to the firewall. It seems like under the snmp branch .1.3.6.1.4.1.2620.1.38 you can only monitor the connection between the IDC and the ADs (in our case), not the number of events being sent over from the IDC to the firewall itself, much like what you see on the "events in last hour" column ("Gateways" tab), on the IDC GUI.

Does anyone have any idea on how to monitor these? Thanks!

Re: Identity Awareness - Identity Collector monitoring

Tiago_Cerqueira — Tue, 03 Aug 2021 00:21:12 GMT

I found a way to do this without SNMP, by using the gaia_api run-script. You can run any expert command there, that includes pdp conn idc. Then I just need to handle it on the client side

Re: Identity Awareness - Identity Collector monitoring

hemh — Mon, 18 Jul 2022 14:39:33 GMT

Hi Sorin, I do not have any return on a snmpwalk to .1.3.6.1.4.1.2620.1.38.53, how comes?

Re: Identity Awareness - Identity Collector monitoring

Sorin_Gogean — Tue, 19 Jul 2022 08:35:33 GMT

hey @hemh ,

maybe the planets didn't align, I don't know 😁,

(without knowing what you did and your environment, we can't answer)

now on a serious note, were you following the SK108235 ?

did you enabled the Registry keys on the server that is hosting the IC ?

are you seeing in the GW's the DC and/or ISE servers when you try the below commands ?

Via cpstat CLI: cpstat identityServer -f idc
- Via pdp CLI: pdp idc status (available since R80.30)

do an snmpwalk on the GW starting from .1.3.6.1.4.1.2620.1.38 - you will see all the OID's under that root....

more details https://oidref.com/1.3.6.1.4.1.2620.1.38

Thank you,

Re: Identity Awareness - Identity Collector monitoring

HusMo — Wed, 10 Apr 2024 09:20:07 GMT

This below works for us, you can play with different branches of OID to suit your needs but I used .6 for 'Status' column of idc table, as shown in $FWDIR/conf/identity_server.cps:

-Add new custom poller 1.3.6.1.4.1.2620.1.38.53.1.6 (SNMP type GET TABLE) - to pull all IDC lines in one go

-Assign poller to gateways communicating with IDCs

-Alert trigger if row label = Status AND value != Connected

Some SNMP walk on the OID tree can help you to shape what you are looking to achieve, you can go one level up to get the table or just look at events received if you like (use .5 instead of .6 works, just tested).