topic Re: Identity Collector Exclusion List in Firewall and Security Management

Identity Collector Exclusion List

NorthernNetGuy — Wed, 24 Oct 2018 12:34:39 GMT

If you leave the excluded and included items blank, are all items sent, or do you have to specify all networks you want to include?

If I add one subnet in the included list, does that mean everything else is excluded, even if not defined in the excluded list?

There's no real documentation I can find for this. The Identity awareness guide just says "Defines IP addresses and networks to include or exclude".

I would just like to test Identity Collector in one subnet, and exclude that subnet from AD Query.

Re: Identity Collector Exclusion List

G_W_Albrecht — Wed, 24 Oct 2018 14:14:27 GMT

You find more information in the Identity Collector R77.30 Release Notes.

Re: Identity Collector Exclusion List

NorthernNetGuy — Wed, 24 Oct 2018 14:19:42 GMT

r 77.30 release notes show the same thing as the r80.10. It says you can use it to exclude and include, but no details as to how the exclusions work. (Does include inherently exclude all non included networks?)

Re: Identity Collector Exclusion List

Kaspars_Zibarts — Wed, 24 Oct 2018 14:25:59 GMT

Royi Priov‌ - could you help here pls?

Re: Identity Collector Exclusion List

G_W_Albrecht — Wed, 24 Oct 2018 14:27:17 GMT

I would assume that basic principles of logic do apply . Main feature here is optimization by excluding unnecessary information, but it makes also possible to strictly limit the collected information by using include.

Re: Identity Collector Exclusion List

NorthernNetGuy — Wed, 24 Oct 2018 14:41:16 GMT

That's what I would assume as well. The features seem almost mutually exclusive, kinda like a fail open or fail close. I wonder which one is determined first, the exclude or the include?

Re: Identity Collector Exclusion List

G_W_Albrecht — Wed, 24 Oct 2018 14:56:45 GMT

It does make no sense to use both - this filters the data from Collector before forwarding it to the GWs. As explained in the documentation, this comes handy to filter unnecessary data. The other side would be a kind of whitelist, limiting which data shall be forwarded to the GWs, that can be usefull under special circumstances.

Re: Identity Collector Exclusion List

Kris_Pellens — Wed, 24 Oct 2018 20:26:50 GMT

It does make sense to use both. Example:

Include: 10.105.0.0/16
Exclude: 10.105.20.0/24

I agree with David, the R80.10 and R80.20 documentation regarding the Identity Collector does not have the right quality.

It looks like it's done on purpose, in order to sell professional services, isn't it?

Re: Identity Collector Exclusion List

Royi_Priov — Thu, 25 Oct 2018 05:23:39 GMT

Kris Pellens wrote:
It looks like it's done on purpose, in order to sell professional services, isn't it?

Hi Kris,

I really feel sorry this is your opinion.

Taking this into the constructive side, I will appreciate if you could tell me what you are missing in our documentation.

Thanks,

Royi Priov

Team Leader, Identity Awareness R&D.

Re: Identity Collector Exclusion List

Royi_Priov — Thu, 25 Oct 2018 05:25:56 GMT

Hi,

As written here, when identity is received on the Identity collector, in order to be sent to the gateway, it should pass all filters for both global and local gateway filter (available in our latest version - sk134312).

Therefore, if there are both inclusion and exclusion lists, both filters will be applied.

Thanks,

Royi Priov

Team Leader, Identity Awareness R&D.

Re: Identity Collector Exclusion List

NorthernNetGuy — Thu, 25 Oct 2018 12:28:16 GMT

So if I have nothing in the inclusion list, everything with pass.

If I have 1 subnet in the inclusion list, only that subnet will pass.

Is that correct?

Re: Identity Collector Exclusion List

Kris_Pellens — Fri, 26 Oct 2018 11:09:43 GMT

Hello Royi,

Thank you for your feedback. We're currently implementing Identity Management (using Microsoft Active Directory and Cisco ISE).

At the moment, we have the following set up:

A VSX/VSLS cluster (R80.20)
A Security Management Server (R80.20)
Identity Collector (sk134312)
Identity Agent Terminal Server (sk134312), running on Windows 2012

The online documentation (i.e. the Identity Awareness R80.20 Administration Guide) is not reflecting those updates. It would be nice to have the online documentation be aligned with the latest updates.

We're also experiencing connections issues on the terminal servers.

Since the installation of the Terminal Server Agent, sometimes all tcp ports on the server are occupied (port starvation); resulting in connection errors (hence: user frustration). The number of users is less than 20.

Today, we've experienced a TS crash, caused by the agent:

(A TAC case has been opened for that).

The Check Point community is also asking for a best practices and configuration document on how to integrate Check Point Identity with Cisco ISE. Is this something you can provide, because your team did the tests up to ISE 2.4.

Many thanks.

Kind regards,

Kris

Re: Identity Collector Exclusion List

G_W_Albrecht — Wed, 31 Oct 2018 10:58:05 GMT

Please explain what this comment has to do with the topic Identity Collector Exclusion List ?

Re: Identity Collector Exclusion List

Royi_Priov — Wed, 31 Oct 2018 12:16:23 GMT

correct.

Re: Identity Collector Exclusion List

nmpramalho — Wed, 12 Mar 2025 12:14:32 GMT

Hello All,

I still have a question regarding the Include / Exclude option for identities.

Currently I have an Identity Filter that excludes all service Accounts (regex identity svc*), yet we need to include an account named svcJohnDoe. So I added a new Include entry for that account, but is still not seen by the gateways.

According to your explanation, both should be applied, but it seems to me that the exclusion is overriding the include entry.

Can you please help?

Kind regards,

Nuno Ramalho

Re: Identity Collector Exclusion List

Ju_Ka — Thu, 12 Jun 2025 09:06:19 GMT

Hello,

unfortunately I still can't find any comprehensive documentation which explains how the identity collector manages filters. In the documentation "https://sc1.checkpoint.com/documents/Identity_Awareness_Clients_Admin_Guide/Content/Topics/Identity-Collector-Filters-for-Login-Events.htm" you only document how to use the interface. I guess that should be a given, that an administrator understands the interface.

What's the logic behind the filters?

I have a global filter which is completely empty so everything is allowed.

I have a second filter which excludes certain subnets and includes certain access roles via AD.

Now I would like to add exceptions for the excluded subnets to allow some machines access to the internet.

Which filter has precedens over the other. Are they processed top to bottom, although I can't change the order they are listed in? Can I use includes and excludes per section (network, identity, domain ) within one filter at the same time or do I need separate Filters?

I hope you can update either the documentation or some links:

sc1.checkpoint.com/documents/Identity_Awareness_Clients_Admin_Guide/Content/Topics/Introduction.htm

Best regards

Jürgen

Re: Identity Collector Exclusion List

Royi_Priov — Thu, 12 Jun 2025 09:41:59 GMT

Hi Jürgen,

From what I remember, the filters are applied in one action (both global and local filters). It means, for the identity to be sent to a PDP gateway, it should pass the global and all local filters.

By the way, in Infinity Identity we are about to present a new filtering mechanism, which will support also group filtering and other parameters. I have attached a snippet from our UI.

Send me a private message if you want to get more information about it.

Re: Identity Collector Exclusion List

nmpramalho — Thu, 12 Jun 2025 11:05:28 GMT

Hi Royi,

Thank you for your reply.

You say that filters are applied in one action, both Global and Local filters, but still there is no reference to how include and exclude filters are applied when used together.

In our case, we have no exclusions at Global level. we only have a local filter that includes both excluded accounts (svc*) and some include filters (e.g. svcTEST), but the account svcTEST is not passed to the gateways. It seems that the exclusion is overlapping the inclusion, but I can't find any information about this, neither a way to address this need.

New feature looks very nice, thank you for sharing. Is this included in new IDC R82, released May 11th?

Thanks in advance,

Nuno Ramalho

Re: Identity Collector Exclusion List

Royi_Priov — Thu, 12 Jun 2025 11:23:24 GMT

@nmpramalho I think I understand your point.

as the filter applied in once bulk, soon as one of the condition matches, the action is performed. so the svcTEST applies on svc* therefore dropped.

If this is indeed the case, it seems that it is a legit RFE to send with your local SE team.

As for Infinity Identity, it is a new application in Infinity Portal, which communicates with Identity Collector and also with Entra ID, Intune, Defender and Harmony clients.

Check this thread for more details:

https://community.checkpoint.com/t5/General-Topics/Simplifying-Zero-Trust-with-Infinity-Identity-Centralized/m-p/246632#M41214

The filters page I showed is part of this application. In case you will create the following filters it will work with Infinity Identity:

1. identity "svcTEST" include

2. Identity regex "svc*" exclude

If needed, contact me for more details privately here or at royip@checkpoint.com

Re: Identity Collector Exclusion List

Ju_Ka — Fri, 13 Jun 2025 06:57:56 GMT

Hello Royi,

thank you for your reply. So from this thread I understand that the first match applies the filter. I will try out this logic for Identity Collector filters in R81.20.

Go from specific rules to general rules
Go from top to bottom
Includes come before Excludes
once a filter matches - no more processing

If anyone else has tried out a couple of things feel free to share your experience.

Have a nice weekend!

Best regards,

Jürgen