https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Collector/m-p/190179#M35089 <P>I think quick remote session with TAC would probably solve your issue, I feel like its something basic thats missing.</P> <P>Andy</P> Tue, 22 Aug 2023 16:34:48 GMT the_rock 2023-08-22T16:34:48Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Collector/m-p/189979#M35036 <P>Hi All,</P><P>We tried to set up an Identity Collector host to replace the original AD Query function of the firewall.</P><P>After the erection is complete. We found it in the log column of "Source user name". No user account information appears. In the IA-related Log, we saw the following error message:<BR />"Failed to get user groups for the domain.<BR />Verify that this domain name is configured in your LDAP Account Unit."</P><P>We have closed the local firewall of the AD and Identity Collector hosts, but still cannot collect user information.</P><P>Our AD version is Windows Server 2019. Can someone who has encountered the same problem give guidance.</P><P>Thanks</P> Mon, 21 Aug 2023 12:31:47 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Collector/m-p/189979#M35036 GigaYang 2023-08-21T12:31:47Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Collector/m-p/189985#M35040 <P>When you open IC software, does gateway show as connected status? Also, did you make sure AD query is fully off?</P> <P>Andy</P> Mon, 21 Aug 2023 13:19:28 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Collector/m-p/189985#M35040 the_rock 2023-08-21T13:19:28Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Collector/m-p/190000#M35047 <P>Identity Collector changes how the gateways acquire users (using Security Logs instead of WMI).<BR />The actual groups are still pulled the same way as with ADQuery: via LDAP queries from the relevant gateways.<BR />Which means you should verify the information needed to perform these lookups is correct:&nbsp;<A href="https://support.checkpoint.com/results/sk/sk180392" target="_blank">https://support.checkpoint.com/results/sk/sk180392</A></P> Mon, 21 Aug 2023 15:09:49 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Collector/m-p/190000#M35047 PhoneBoy 2023-08-21T15:09:49Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Collector/m-p/190006#M35049 <P>After I add a LDAP account unit object. The problem has been solved.&nbsp;</P> Mon, 21 Aug 2023 16:05:43 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Collector/m-p/190006#M35049 GigaYang 2023-08-21T16:05:43Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Collector/m-p/190007#M35050 <P>Good job!</P> Mon, 21 Aug 2023 16:10:15 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Collector/m-p/190007#M35050 the_rock 2023-08-21T16:10:15Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Collector/m-p/190163#M35079 <P>We made some architectural adjustments today. The Identity Collector host is placed on a different network segment from the Gateway management interface. As a result, the Identity Collector cannot establish a connection with the Gateway, but the Allow Log is displayed. Has anyone encountered such a situation?</P> Tue, 22 Aug 2023 14:46:31 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Collector/m-p/190163#M35079 GigaYang 2023-08-22T14:46:31Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Collector/m-p/190164#M35080 <P>Do you have proper rules configured? Does ping work back and forth?</P> <P>Andy</P> Tue, 22 Aug 2023 14:52:23 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Collector/m-p/190164#M35080 the_rock 2023-08-22T14:52:23Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Collector/m-p/190165#M35081 <P>Yes,</P><P>We have set the firewall rule from IC to gateway over TCP 443. And ping is work well.</P> Tue, 22 Aug 2023 15:07:06 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Collector/m-p/190165#M35081 GigaYang 2023-08-22T15:07:06Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Collector/m-p/190167#M35082 <P>Does gateway show as green in IC software? Also, can you pull identity source on the software itself? I will send screenshots later of what Im referring to.</P> <P>Andy</P> Tue, 22 Aug 2023 15:08:55 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Collector/m-p/190167#M35082 the_rock 2023-08-22T15:08:55Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Collector/m-p/190171#M35083 <P>K, as promised, I attached document of what I was referring to.</P> <P>&nbsp;</P> <P>Andy</P> Tue, 22 Aug 2023 15:44:34 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Collector/m-p/190171#M35083 the_rock 2023-08-22T15:44:34Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Collector/m-p/190173#M35084 <P>Hi Rock,</P><P>When IC Server and Gateway are in the same subnet. IC can function normally. But when we re-set up the IC in another subnet, the two cannot be connected. But I'm sure the IC can connect to the Gateway via TCP 443.</P><P>When unable to connect, the Gateway status on the IC is red. I'll provide footage later.</P> Tue, 22 Aug 2023 15:58:00 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Collector/m-p/190173#M35084 GigaYang 2023-08-22T15:58:00Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Collector/m-p/190175#M35085 <P>That sort of makes sense, since as we all know, when hosts are on the same subnet, all that needs to happen is they know about one another's ARP, no routing needed, so its logical it works.</P> <P>If it fails on different subnets, confirm the routing, as well as access policy. Do basic zdebug, as well as fw up_execute as well</P> <P><A href="https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_CLI_ReferenceGuide/Topics-CLIG/FWG/fw-up_execute.htm" target="_blank">https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_CLI_ReferenceGuide/Topics-CLIG/FWG/fw-up_execute.htm</A></P> <P>Andy</P> Tue, 22 Aug 2023 16:07:46 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Collector/m-p/190175#M35085 the_rock 2023-08-22T16:07:46Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Collector/m-p/190176#M35086 <P>Hi Rock, attach file is my setting.</P> Tue, 22 Aug 2023 16:10:28 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Collector/m-p/190176#M35086 GigaYang 2023-08-22T16:10:28Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Collector/m-p/190177#M35087 <P>Right, so we need to find out WHY it fails, so only way to know is by running basic captures, simple debugs and see where its "stuck"</P> <P>Andy</P> Tue, 22 Aug 2023 16:13:19 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Collector/m-p/190177#M35087 the_rock 2023-08-22T16:13:19Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Collector/m-p/190178#M35088 <P>Attach file is fw monitor and zdebug result.&nbsp;I think the connection between the Gateway and the IC host is normal.</P> Tue, 22 Aug 2023 16:33:07 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Collector/m-p/190178#M35088 GigaYang 2023-08-22T16:33:07Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Collector/m-p/190179#M35089 <P>I think quick remote session with TAC would probably solve your issue, I feel like its something basic thats missing.</P> <P>Andy</P> Tue, 22 Aug 2023 16:34:48 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Collector/m-p/190179#M35089 the_rock 2023-08-22T16:34:48Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Collector/m-p/192148#M35485 <P>Finally we found two problems:<BR />1. PDP Problem: After we disable the AD Query function, the Monitor's device status will never change.<BR />2. The VPN certificate has expired.</P><P>After weReboot the device and re-sign the certificate. The problem is solved.</P> Mon, 11 Sep 2023 04:32:29 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Collector/m-p/192148#M35485 GigaYang 2023-09-11T04:32:29Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Collector/m-p/192192#M35501 <P>Good job!</P> Mon, 11 Sep 2023 11:58:03 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Collector/m-p/192192#M35501 the_rock 2023-09-11T11:58:03Z