https://community.checkpoint.com/t5/Firewall-and-Security-Management/IA-with-Identity-Collector/m-p/147553#M23535 <P>Hello everyone,</P><P>&nbsp;</P><P>So we're progressing each day in our IA test/implementation.</P><P>After we clarified some ISE issues (psGrid 2.0 vs pxGrid 1.0), we've bumped into some new interesting information in regards to AD&nbsp;<SPAN>Global Catalog&nbsp;</SPAN>from the <A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk134292" target="_self">sk134292</A>&nbsp;and I wanted to ask, if it would be recommended to move from standard "LDAP Account Units" to LDAP AU but pointing it to&nbsp;<SPAN>Global Catalog AD port.&nbsp;</SPAN></P><P><SPAN>We were thinking to go this path, as we have an big AD environment with several sub-domains, and therefore we were dealing with 10-15 LDAP AU's (5 per Cluster to address each subdomain). The expectations if we move to LDAP AU against Global Catalog, would be to get less failed log-ins (we've seen a lot of those for identities&nbsp;sent from Cisco ISE without SGT's).</SPAN></P><P><SPAN>That would reduce those 15 LDAP AU to 3 (as we look to have IA on 3 clusters) .</SPAN></P><P><SPAN>Would that bring any improvement?</SPAN></P><P>&nbsp;</P><P><SPAN>Thank you,</SPAN></P><P><SPAN>PS: also while we looked into some problems, we failed to find a way we could check from GW cli, AD resolution for an machine or username. whatever documents are out-there are AD Query related. Any hints would be appreciated.</SPAN></P><P><SPAN>PS2: I was browsing last week/weekend the CheckMates portal, and I remember seeing somewhere that for user identities received from ISE (without SGT),&nbsp; we have an CLI option to search those identities against AD also. Did I remember correctly or I'm going crazy&nbsp;<span class="lia-unicode-emoji" title=":face_with_rolling_eyes:">🙄</span>....</SPAN></P> Tue, 03 May 2022 15:15:53 GMT Sorin_Gogean 2022-05-03T15:15:53Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IA-with-Identity-Collector/m-p/147553#M23535 <P>Hello everyone,</P><P>&nbsp;</P><P>So we're progressing each day in our IA test/implementation.</P><P>After we clarified some ISE issues (psGrid 2.0 vs pxGrid 1.0), we've bumped into some new interesting information in regards to AD&nbsp;<SPAN>Global Catalog&nbsp;</SPAN>from the <A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk134292" target="_self">sk134292</A>&nbsp;and I wanted to ask, if it would be recommended to move from standard "LDAP Account Units" to LDAP AU but pointing it to&nbsp;<SPAN>Global Catalog AD port.&nbsp;</SPAN></P><P><SPAN>We were thinking to go this path, as we have an big AD environment with several sub-domains, and therefore we were dealing with 10-15 LDAP AU's (5 per Cluster to address each subdomain). The expectations if we move to LDAP AU against Global Catalog, would be to get less failed log-ins (we've seen a lot of those for identities&nbsp;sent from Cisco ISE without SGT's).</SPAN></P><P><SPAN>That would reduce those 15 LDAP AU to 3 (as we look to have IA on 3 clusters) .</SPAN></P><P><SPAN>Would that bring any improvement?</SPAN></P><P>&nbsp;</P><P><SPAN>Thank you,</SPAN></P><P><SPAN>PS: also while we looked into some problems, we failed to find a way we could check from GW cli, AD resolution for an machine or username. whatever documents are out-there are AD Query related. Any hints would be appreciated.</SPAN></P><P><SPAN>PS2: I was browsing last week/weekend the CheckMates portal, and I remember seeing somewhere that for user identities received from ISE (without SGT),&nbsp; we have an CLI option to search those identities against AD also. Did I remember correctly or I'm going crazy&nbsp;<span class="lia-unicode-emoji" title=":face_with_rolling_eyes:">🙄</span>....</SPAN></P> Tue, 03 May 2022 15:15:53 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IA-with-Identity-Collector/m-p/147553#M23535 Sorin_Gogean 2022-05-03T15:15:53Z