https://community.checkpoint.com/t5/Firewall-and-Security-Management/AD-Query-vs-Identity-Collector/m-p/245652#M47862 <P>To add, here are the pro's of the IDC:</P> <UL> <LI> <P>Reduced load on the<SPAN>&nbsp;</SPAN><SPAN class="mc-variable Vars_Other.tp_sgate variable"><A class="MCTextPopup MCTextPopupHotSpot MCTextPopupHotSpot_ #text MCTextPopup_Closed" role="button" href="https://sc1.checkpoint.com/documents/Identity_Awareness_Clients_Admin_Guide/Content/Topics-IA-Clients-AG/Identity-Collector.htm?tocpath=Identity%20Collector%7C_____0#" data-mc-state="closed" data-aria-describedby="c60c94eb-2a72-4fc0-9c28-ba70a1da3a33" target="_blank">Security Gateway -&nbsp;</A></SPAN><SPAN>I</SPAN><SPAN class="mc-variable Vars_BladesFeatures.tp_ida_collector variable">dentity Collector</SPAN><SPAN>&nbsp;</SPAN><SPAN>does the queries instead of the</SPAN><SPAN>&nbsp;</SPAN><SPAN class="mc-variable Vars_Other.tp_sgate variable">Security Gateway</SPAN></P> </LI> <LI> <P><SPAN>Reduced load on the Domain Controller (DC) - the native Windows API consumes fewer resources</SPAN></P> </LI> <LI> <P>Lower permissions required -<SPAN>&nbsp;</SPAN><SPAN class="mc-variable Vars_BladesFeatures.tp_ida_collector variable">Identity Collector</SPAN><SPAN>&nbsp;</SPAN>requires read-only access to the domain security logs</P> </LI> <LI> <P>No changes are required in the<SPAN>&nbsp;</SPAN><SPAN class="mc-variable Vars_Other.tp_active_directory variable">Active Directory</SPAN><SPAN>&nbsp;</SPAN>(AD) schema.</P> </LI> <LI> <P>One<SPAN>&nbsp;</SPAN><SPAN class="mc-variable Vars_BladesFeatures.tp_ida_collector variable">Identity Collector</SPAN><SPAN>&nbsp;</SPAN>can serve multiple<SPAN>&nbsp;</SPAN><SPAN class="mc-variable Vars_Other.tp_sgates variable">Security Gateways</SPAN>, even from a different<SPAN>&nbsp;</SPAN><SPAN class="mc-variable Vars_BladesFeatures.tp_dmss variable">Domain Management Servers</SPAN><SPAN>&nbsp;</SPAN>on a<SPAN>&nbsp;</SPAN><SPAN class="mc-variable Vars_BladesFeatures.tp_mds variable"><A class="MCTextPopup MCTextPopupHotSpot MCTextPopupHotSpot_ #text MCTextPopup_Closed" role="button" href="https://sc1.checkpoint.com/documents/Identity_Awareness_Clients_Admin_Guide/Content/Topics-IA-Clients-AG/Identity-Collector.htm?tocpath=Identity%20Collector%7C_____0#" data-mc-state="closed" data-aria-describedby="c11cb361-d463-467f-93f3-4cc452ebefcc" target="_blank">Multi-Domain Server</A></SPAN></P> </LI> <LI> <P><SPAN class="mc-variable Vars_BladesFeatures.tp_ida_collector variable">Identity Collector</SPAN><SPAN>&nbsp;</SPAN>can communicate with a maximum of up to 35<SPAN>&nbsp;</SPAN><SPAN class="mc-variable Vars_Other.tp_active_directory variable">Active Directory</SPAN><SPAN>&nbsp;</SPAN>(AD) servers.</P> </LI> <LI> <P><SPAN class="mc-variable Vars_BladesFeatures.tp_ida_collector variable">Identity Collector</SPAN><SPAN>&nbsp;</SPAN>can process a maximum of 1900<SPAN>&nbsp;</SPAN><SPAN class="mc-variable Vars_Other.tp_active_directory variable">Active Directory</SPAN><SPAN>&nbsp;</SPAN>(AD) events per second.</P> </LI> </UL> Thu, 03 Apr 2025 21:09:09 GMT Lesley 2025-04-03T21:09:09Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/AD-Query-vs-Identity-Collector/m-p/245541#M47847 <P>Hello guys</P><P>AD Query has this limitation:</P><UL><LI><P><SPAN class="">Many user accounts connected from the same IP address</SPAN><SPAN>&nbsp;</SPAN>-<SPAN>&nbsp;</SPAN><SPAN class="">AD Query</SPAN><SPAN>&nbsp;</SPAN>cannot detect when a user logs out. Therefore, more than one user can have open sessions from the same IP address. When this occurs, the permissions for each account stay active until their<SPAN>&nbsp;</SPAN><SPAN class="">User/IP association timeout</SPAN><SPAN>&nbsp;</SPAN>occurs. In this scenario, there is a risk that currently connected users can get access to network resources, for which they do not have permissions.</P></LI></UL><P>Does Identity Collector share this limitation? If not, how does it solve this?</P> Thu, 03 Apr 2025 07:32:54 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/AD-Query-vs-Identity-Collector/m-p/245541#M47847 shauls 2025-04-03T07:32:54Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/AD-Query-vs-Identity-Collector/m-p/245555#M47853 <P>IDC also has the same limitation, stemming from the same place - there's no 'log out' event in AD for us to read. To know when a session has ended, we need to be reading from an agent on the machine, either the multi-user host agent on terminal servers or the regular agent on PCs.</P> <P>This can be mitigated on single-user PCs by enabling the 'assume one user per host' option that will end the user association to an IP address when a new user is associated with it.&nbsp;</P> Thu, 03 Apr 2025 11:07:05 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/AD-Query-vs-Identity-Collector/m-p/245555#M47853 emmap 2025-04-03T11:07:05Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/AD-Query-vs-Identity-Collector/m-p/245556#M47854 <P>See if below discussion helps, lots of things were discussed here.</P> <P>Andy</P> <P><A href="https://community.checkpoint.com/t5/Security-Gateways/New-IA-Implementation/m-p/185851#M34184" target="_blank">https://community.checkpoint.com/t5/Security-Gateways/New-IA-Implementation/m-p/185851#M34184</A></P> Thu, 03 Apr 2025 11:09:32 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/AD-Query-vs-Identity-Collector/m-p/245556#M47854 the_rock 2025-04-03T11:09:32Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/AD-Query-vs-Identity-Collector/m-p/245558#M47855 <P>In general there are certain scenarios that can only be solved entirely with the Identity Agent, with that said Identity Collector is preferred over the legacy ADquery method for several reasons.</P> Thu, 03 Apr 2025 11:11:43 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/AD-Query-vs-Identity-Collector/m-p/245558#M47855 Chris_Atkinson 2025-04-03T11:11:43Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/AD-Query-vs-Identity-Collector/m-p/245561#M47856 <P>I see this option.</P><P>I have this option on both Security Gateway and Security Management Server, what are the differences?</P> Thu, 03 Apr 2025 11:47:44 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/AD-Query-vs-Identity-Collector/m-p/245561#M47856 shauls 2025-04-03T11:47:44Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/AD-Query-vs-Identity-Collector/m-p/245652#M47862 <P>To add, here are the pro's of the IDC:</P> <UL> <LI> <P>Reduced load on the<SPAN>&nbsp;</SPAN><SPAN class="mc-variable Vars_Other.tp_sgate variable"><A class="MCTextPopup MCTextPopupHotSpot MCTextPopupHotSpot_ #text MCTextPopup_Closed" role="button" href="https://sc1.checkpoint.com/documents/Identity_Awareness_Clients_Admin_Guide/Content/Topics-IA-Clients-AG/Identity-Collector.htm?tocpath=Identity%20Collector%7C_____0#" data-mc-state="closed" data-aria-describedby="c60c94eb-2a72-4fc0-9c28-ba70a1da3a33" target="_blank">Security Gateway -&nbsp;</A></SPAN><SPAN>I</SPAN><SPAN class="mc-variable Vars_BladesFeatures.tp_ida_collector variable">dentity Collector</SPAN><SPAN>&nbsp;</SPAN><SPAN>does the queries instead of the</SPAN><SPAN>&nbsp;</SPAN><SPAN class="mc-variable Vars_Other.tp_sgate variable">Security Gateway</SPAN></P> </LI> <LI> <P><SPAN>Reduced load on the Domain Controller (DC) - the native Windows API consumes fewer resources</SPAN></P> </LI> <LI> <P>Lower permissions required -<SPAN>&nbsp;</SPAN><SPAN class="mc-variable Vars_BladesFeatures.tp_ida_collector variable">Identity Collector</SPAN><SPAN>&nbsp;</SPAN>requires read-only access to the domain security logs</P> </LI> <LI> <P>No changes are required in the<SPAN>&nbsp;</SPAN><SPAN class="mc-variable Vars_Other.tp_active_directory variable">Active Directory</SPAN><SPAN>&nbsp;</SPAN>(AD) schema.</P> </LI> <LI> <P>One<SPAN>&nbsp;</SPAN><SPAN class="mc-variable Vars_BladesFeatures.tp_ida_collector variable">Identity Collector</SPAN><SPAN>&nbsp;</SPAN>can serve multiple<SPAN>&nbsp;</SPAN><SPAN class="mc-variable Vars_Other.tp_sgates variable">Security Gateways</SPAN>, even from a different<SPAN>&nbsp;</SPAN><SPAN class="mc-variable Vars_BladesFeatures.tp_dmss variable">Domain Management Servers</SPAN><SPAN>&nbsp;</SPAN>on a<SPAN>&nbsp;</SPAN><SPAN class="mc-variable Vars_BladesFeatures.tp_mds variable"><A class="MCTextPopup MCTextPopupHotSpot MCTextPopupHotSpot_ #text MCTextPopup_Closed" role="button" href="https://sc1.checkpoint.com/documents/Identity_Awareness_Clients_Admin_Guide/Content/Topics-IA-Clients-AG/Identity-Collector.htm?tocpath=Identity%20Collector%7C_____0#" data-mc-state="closed" data-aria-describedby="c11cb361-d463-467f-93f3-4cc452ebefcc" target="_blank">Multi-Domain Server</A></SPAN></P> </LI> <LI> <P><SPAN class="mc-variable Vars_BladesFeatures.tp_ida_collector variable">Identity Collector</SPAN><SPAN>&nbsp;</SPAN>can communicate with a maximum of up to 35<SPAN>&nbsp;</SPAN><SPAN class="mc-variable Vars_Other.tp_active_directory variable">Active Directory</SPAN><SPAN>&nbsp;</SPAN>(AD) servers.</P> </LI> <LI> <P><SPAN class="mc-variable Vars_BladesFeatures.tp_ida_collector variable">Identity Collector</SPAN><SPAN>&nbsp;</SPAN>can process a maximum of 1900<SPAN>&nbsp;</SPAN><SPAN class="mc-variable Vars_Other.tp_active_directory variable">Active Directory</SPAN><SPAN>&nbsp;</SPAN>(AD) events per second.</P> </LI> </UL> Thu, 03 Apr 2025 21:09:09 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/AD-Query-vs-Identity-Collector/m-p/245652#M47862 Lesley 2025-04-03T21:09:09Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/AD-Query-vs-Identity-Collector/m-p/245663#M47866 <P>Not sure if you meant to add a screenshot or something there, which option are you referring to?</P> Fri, 04 Apr 2025 03:34:34 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/AD-Query-vs-Identity-Collector/m-p/245663#M47866 emmap 2025-04-04T03:34:34Z