topic Re: New IA Implementation in Firewall and Security Management

New IA Implementation

Matlu — Thu, 06 Jul 2023 12:56:36 GMT

Hello,

One query, please.

Due to customer need, we require to implement the AI blade.

The customer has a quite large network (More than 2000 users).

I understand that there are 2 ways to integrate the Windows Server AD, by the AD Query / Identity Collector (correct me if I am wrong please).

I understand that the viable method for us would be to install some application in the same AD Windows Server.

I understand that this application is called IDENTITY COLLECTOR, right?

If my comment is true, downloading and installing this application, is it free or is it required to make a purchase from Checkpoint?

Are end users going to have to be forced to install some application on their computers?

Greetings.

Re: New IA Implementation

Chris_Atkinson — Thu, 06 Jul 2023 13:35:28 GMT

Identity Collector can be installed on a Window machine in the same domain doesn't have to be the DC, no cost is involved specific to the collector.

Identity agents for the client PCs are not mandatory but will operate more effectively in some scenarios.

Re: New IA Implementation

Ruan_Kotze — Thu, 06 Jul 2023 13:57:40 GMT

Hi Matlu,

Identity Collector is absolutely the way to go, AD Query is being deprecated, and in fact you have to jump through hoops to get that working nowadays.

You don't need to install it on a DC, a member server is fine. An active support contract will entitle you to the download, there is no separate charge.

There is an client that you can install on a client, but it should not be necessary from what I can see (in fact it's not necessary for the vast majority of use cases in my experience).

Thanks,
Ruan

Re: New IA Implementation

Matlu — Thu, 06 Jul 2023 17:31:55 GMT

Hello,

Can you share me the SK or WEB from where I could download the Identity Collector, please.

In addition to this, I understand that this application does not need to be installed in the same Windows Server we have, but in any station with privileges, certain ????

When activating the AI blade in the Cluster object from my SmartConsole, in order to work with the Identity Collector, I must select the option that I show in the image, correct?

Cheers

Re: New IA Implementation

the_rock — Thu, 06 Jul 2023 17:39:55 GMT

Hey bro,

Once IA blade is enabled, dont even bother going through the wizard, just cancel it, make sure blade shows as on and you can download collected from below option, just make sure its checked.

Andy

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_IdentityAwareness_AdminGuide/Topics-IDAG/Identity-Sources-Identity-Collector.htm

Re: New IA Implementation

PhoneBoy — Thu, 06 Jul 2023 17:59:15 GMT

All the various Identity Awareness clients (including Collector) are linked here: https://support.checkpoint.com/results/sk/sk134312

Re: New IA Implementation

Matlu — Thu, 06 Jul 2023 18:22:44 GMT

Hi, Bro.

The customer has serious doubts in implementing the agent.

Is it still feasible to use the AD Query mode, for a number of approx. 4k users?

Greetings.

Re: New IA Implementation

the_rock — Thu, 06 Jul 2023 18:31:56 GMT

Hey bro,

You can do that, but please show them below. We had few customers with same concern and now they are so happy they went with collector and they are actually bit upset they had not done it sooner.

Andy

https://sc1.checkpoint.com/documents/Identity_Awareness_Clients_Admin_Guide/Content/Topics/Identity-Collector.htm?Highlight=collector

These are the benefits of using Identity Collector instead of a standard AD QueryClosed:

Reduced load on the Security Gateway - Identity Collector does the queries instead of the Security Gateway

Reduced load on the Domain Controller (DC) - the native Windows API consumes fewer resources

Lower permissions required - Identity Collector requires read-only access to the domain security logs

No changes are required in the Active Directory (AD) schema.

One Identity Collector can serve multiple Security Gateways, even from a different Domain Management Servers on a Multi-Domain ServerClosed.

Identity Collector can communicate with a maximum of up to 35 Active Directory (AD) servers.

Identity Collector can process a maximum of 1900 Active Directory (AD) events per second.

Re: New IA Implementation

Matlu — Thu, 06 Jul 2023 18:39:40 GMT

Andy,

I will try to persuade the client, even if he is a bit "inane", and well, I have not implemented the agent before, so I am "reading the documentation".

Could you comment me, which is the option of the agent, that should be downloaded in our case, for a Windows Server 2019 to more, please????

What leaves me doubts in the documentation, is if only enough to install the agent on the server and already, or is that I will have to install other agents separately, other agents on each machine of each user ...

Re: New IA Implementation

PhoneBoy — Thu, 06 Jul 2023 18:42:14 GMT

I would not do ANY new deployments with AD Query at this point.
First of all, AD Query causes additional load on the AD server.
With 4k users, this might be noticeable.
Second, due to various security vulnerabilities in WMI, Microsoft has and continues to make changes, some of which have broken AD Query.
Currently, using fully patched AD servers, AD Query can only be implemented using an account with Domain Admin credentials.

Meanwhile, Identity Collector:

Is significantly more scalable
Only requires an account that can read Security Logs from Active Directory
Is the recommended solution

Re: New IA Implementation

PhoneBoy — Thu, 06 Jul 2023 18:46:13 GMT

The SK I referred to earlier explains what each agent is for.

Re: New IA Implementation

the_rock — Thu, 06 Jul 2023 18:48:22 GMT

Just install the collector (first one in the list), though one I gave you from last screenshot works even on windows 11 (tried it myself in the lab). Then, once installed, I attached some screenshots of what you need to do.

Andy

Re: New IA Implementation

the_rock — Thu, 06 Jul 2023 18:50:45 GMT

Btw, @PhoneBoy explained it PERFECTLY. And trust me, hes been around CP almost since the beginning, so if you should listen to anyone, its him...just saying : - )

Andy

Re: New IA Implementation

Matlu — Thu, 06 Jul 2023 21:59:46 GMT

Thank you for the clarification.

I think the best option is to make a lab for this.

I will try to replicate the scenario I need for our client.

Re: New IA Implementation

the_rock — Thu, 06 Jul 2023 22:22:07 GMT

Lab is always best bro 🙂