topic Re: AD Quary to Identity collector in Firewall and Security Management

AD Quary to Identity collector

VIKAS1 — Mon, 28 Jul 2025 08:07:02 GMT

Hi Team,

We are using 9100 with ClusterXL Activity and standby configuration. R81.20 with JHF 99, along with Mobile access vpn with SNX. we are facing issue with user-based policy.

raised the TAC ticket they suggested to go with Identity collector.

I required help to configure the Identity collector on my gateway on running setup.

1) Checkpoint model-9100 -R81.20, JHF 99

2) Management box -1smart 600 with R81.20 , JHF 99.

3) VPN- Mobile access vpn with SNX

Re: AD Quary to Identity collector

G_W_Albrecht — Mon, 28 Jul 2025 09:34:44 GMT

https://sc1.checkpoint.com/documents/Identity_Awareness_Clients_Admin_Guide/Content/Topics-IA-Clients-AG/Identity-Collector-Requirements.htm?tocpath=Identity%20Collector%7C_____1

Re: AD Quary to Identity collector

Lesley — Mon, 28 Jul 2025 19:34:56 GMT

Maybe start with the how to guide and try to follow it. If you get stuck ask for help here.

I can post the whole process but it is documented already.

Re: AD Quary to Identity collector

VIKAS1 — Tue, 29 Jul 2025 05:26:37 GMT

thnks, i have flow the admin guide and configure the identity collector

but when i run the pdc idc status below logs

[Expert@EMB-SJRM2-FW02:0]# pdp idc status
Identity Collector IP: 10.000.00.11---ip edited
Identity Collector status: Connected

Identity Sources:
No information about identity sources

Re: AD Quary to Identity collector

Lesley — Tue, 29 Jul 2025 11:47:29 GMT

This is a normal message that shows on all my setups with working IDC. Are there any specific issues?

Re: AD Quary to Identity collector

VIKAS1 — Tue, 29 Jul 2025 12:28:44 GMT

Some time we are not getting logs for the users, also when i run the same cli command on another standby gateway then below output i will get. ..both gateway are on active and standby.

[Expert@EMB-SJRM2-FW01:0]# pdp idc status
No connected Identity Collectors

is there any thing to be change on setting where we can reduce the sync

attached some snap fyi...

Re: AD Quary to Identity collector

Lesley — Tue, 29 Jul 2025 14:05:56 GMT

screenshots look good. What version IDC you use? With reduce sync, do you mean if you change something in AD, for example add user to AD group, it takes long for the firewall to be aware of this change?

What version you run on GW? cpinfo -y all

Re: AD Quary to Identity collector

VIKAS1 — Wed, 30 Jul 2025 05:05:35 GMT

Thanks for update, IDC version 82.126.0000, if you see the output below , i have highlighted on bold it's said that NEXT Ldap fath time almost more then 3hrs.

[Expert@EMB-SJRM2-FW02:0]# pdp m user emb-kagir

Session: 33a4fc74

Session UUID: {9A499F46-1573-FA66-F1DC-8C7464657172}

Ip: 10.199.10.116

Users: emb-kagir@bitel.local {1c791521}

LogUsername: Kumar Giri (emb-kagir)

Groups: All Users;LDAP;LDAP_SSL_VPN;ad_user_Kumar_Giri

Roles: All_Users;DMC_Teamviewer_Access;DeveloperSite_AccessGroup;Google_Drive_Access_Group;ID-Awareness;IT_Team;IT_VPN_testing;Youtube_Access_Group

Client Type: Identity Collector (Active Directory)

Authentication Method: Trust

Distinguished Name: CN=Kumar Giri,OU=ActiveUsers,OU=bitel-Users,DC=bitel,DC=local

Connect Time: Tue Jul 29 12:51:55 2025

Next Reauthentication: Wed Jul 30 02:24:01 2025

Next Connectivity Check: -

Next Ldap Fetch: Tue Jul 29 15:26:14 2025

Packet Tagging Status: Not Active

Published Gateways: Local

[Expert@EMB-SJRM2-FW02:0]# cpinfo -y all

This is Check Point CPinfo Build 914000250 for GAIA
[MGMT]
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 99
[IDA]
No hotfixes..
[CPFC]
HOTFIX_TEX_ENGINE_R8120_AUTOUPDATE
[FW1]
HOTFIX_TEX_ENGINE_R8120_AUTOUPDATE
HOTFIX_INEXT_NANO_EGG_AUTOUPDATE
HOTFIX_R80_40_MAAS_TUNNEL_AUTOUPDATE
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 99
HOTFIX_PUBLIC_CLOUD_CA_BUNDLE_AUTOUPDATE
HOTFIX_GOT_TPCONF_AUTOUPDATE

FW1 build number:
This is Check Point's software version R81.20 - Build 046
kernel: R81.20 - Build 053
[SecurePlatform]
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 99
HOTFIX_GAIA_API_AUTOUPDATE
HOTFIX_ENDER_V17_AUTOUPDATE
[CPinfo]
No hotfixes..
[PPACK]
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 99
[AutoUpdater]
HOTFIX_INFRA_CONFIG_AUTOUPDATE
[DIAG]
No hotfixes..
[CVPN]
HOTFIX_ESOD_SWS_AUTOUPDATE
HOTFIX_ESOD_SCANNER_AUTOUPDATE
HOTFIX_ESOD_CSHELL_AUTOUPDATE
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 99
[core_uploader]
HOTFIX_CHARON_HF
[CPUpdates]
BUNDLE_TEX_ENGINE_R8120_AUTOUPDATE Take: 15
BUNDLE_GAIA_API_AUTOUPDATE Take: 7
BUNDLE_ESOD_SWS_AUTOUPDATE Take: 14
BUNDLE_ESOD_SCANNER_AUTOUPDATE Take: 10
BUNDLE_INEXT_NANO_EGG_AUTOUPDATE Take: 23
BUNDLE_GENERAL_AUTOUPDATE Take: 21
BUNDLE_INFRA_CONFIG_AUTOUPDATE Take: 10
BUNDLE_INFRA_AUTOUPDATE Take: 72
BUNDLE_DEP_INSTALLER_AUTOUPDATE Take: 31
BUNDLE_R80_40_MAAS_TUNNEL_AUTOUPDATE Take: 68
BUNDLE_ESOD_CSHELL_AUTOUPDATE Take: 20
BUNDLE_CPVIEWEXPORTER_AUTOUPDATE Take: 75
BUNDLE_QUID_AUTOUPDATE Take: 48
BUNDLE_CPOTLPAGENT_AUTOUPDATE Take: 115
BUNDLE_CPOTELCOL_AUTOUPDATE Take: 192
BUNDLE_ENDER_V17_AUTOUPDATE Take: 26
BUNDLE_R81_20_JUMBO_HF_MAIN Take: 99
BUNDLE_PUBLIC_CLOUD_CA_BUNDLE_AUTOUPDATE Take: 21
BUNDLE_HCP_AUTOUPDATE Take: 84
BUNDLE_GOT_TPCONF_AUTOUPDATE Take: 158
BUNDLE_CPSDC_AUTOUPDATE Take: 34
BUNDLE_CORE_FILE_UPLOADER_AUTOUPDATE Take: 23
[cpsdc_wrapper]
HOTFIX_CPSDC_AUTOUPDATE
[hcp_wrapper]
HOTFIX_HCP_AUTOUPDATE
[CPDepInst]
No hotfixes..
[CPotelcol]
HOTFIX_OTLP_GA
[CPotlpAgent]
HOTFIX_OTLP_GA
[CPquid]
HOTFIX_QUID_AUTOUPDATE
[CPviewExporter]
HOTFIX_OTLP_GA

[Expert@EMB-SJRM2-FW02:0]#

I am facing issue with ldap fetch time and also some time user logs are not getting.

Re: AD Quary to Identity collector

Lesley — Wed, 30 Jul 2025 19:14:27 GMT

LDAP fetch timer can be changed:

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_IdentityAwareness_AdminGuide/Content/Topics-IDAG/CLI/pdp-timers.htm

IDC collector software is good. FW software also, no open bugs for this blade.

Re: AD Quary to Identity collector

VIKAS1 — Thu, 14 Aug 2025 06:19:25 GMT

Hi,

I have gone through recent Americas Deep Dive: Identity Awareness Best Practices , Is it required to installed Agen in all user machine?

Re: AD Quary to Identity collector

Chris_Atkinson — Thu, 14 Aug 2025 07:09:20 GMT

The IDC itself no.

The Identity Agent(s) still no, but it likely provides a better enforcement / outcome.

Re: AD Quary to Identity collector

Lesley — Thu, 14 Aug 2025 14:49:35 GMT

Laptop with one user on it no. Vdi machine with 10 it would be very helpful. Tip if there are more users on 1 ip an agent will be handy

Re: AD Quary to Identity collector

PhoneBoy — Thu, 14 Aug 2025 19:41:41 GMT

Multi-user systems require an Identity Agent to differentiate traffic from different users on the same machine.
Without an identity agent installed, roaming users may not get their identity updated when they change locations (and thus IP address).