topic Re: LDAP Account Unit in Firewall and Security Management

LDAP Account Unit

Unon — Sun, 25 Feb 2024 10:28:50 GMT

Hi,

Recently I started messing around with identity awareness with Identity Collector.

I've seen in the admin guide that ldap account unit is required, but when I created an object for it I didn't find how to associate it with the gateway. On other deployment done before me I can see the ldap account unit used within the gateway and that's what I'm trying to understand. Can you please help?

Re: LDAP Account Unit

Lesley — Sun, 25 Feb 2024 11:19:59 GMT

Is this not in the wizard when you enable Identity blade under the gateway object?

From my mind you have to connect with ad there correct?

Re: LDAP Account Unit

Unon — Sun, 25 Feb 2024 12:32:46 GMT

In the wizard there is a part where you configure what AD you query and it uses the account unit. Yet when I want to see where the account unit is used I see nothing. In the other deployment when you view where it's used you can see it used in the identity aware fw

Re: LDAP Account Unit

the_rock — Sun, 25 Feb 2024 15:29:25 GMT

You created already LDAP account unit? If so, can you fetch the branches?

Best,

Andy

Re: LDAP Account Unit

Unon — Sun, 25 Feb 2024 18:53:51 GMT

No I can't but still the account unit should be associated with the gateway isn't it? And moreover let's say I want to get identities from multiple ADs how can I associate more than one if I can only add via the identity awareness wizard?

Essentially I try to find an easy way to associate ldap account unit to a gateway. I wanted to start from the easiest part and than try more harder scenarios.

But thanks you helped me understand some things

Re: LDAP Account Unit

the_rock — Mon, 26 Feb 2024 00:10:05 GMT

Yes, 100% is HAS TO BE associated with the gateway. Put it this way...identity collector changes how the gateway will "get" the users, so its via the logs instead of WMI, BUT, it still has to pull the groups via LDAP account unit, regardless if you use IC or not.

Makes sense?

Best,

Andy

Re: LDAP Account Unit

Unon — Mon, 26 Feb 2024 08:46:14 GMT

It does make sense and now I understand more but I'm still confused about why I can't see the ldap account unit associated with the gateway and now that I know it is supposed to be associated via the identity awareness wizard I don't understand how to associate multiple ldap account unit with the same gateway?

I would believe that it's more simple than I imagine but currently I can't find how to do it.

Re: LDAP Account Unit

Lesley — Mon, 26 Feb 2024 12:10:38 GMT

Relevant FW object -> Identity Awareness -> Identity Collector Settings -> Settings -> Specific (in here you can select what account unit this firewall can read).
Default is all, so ALL configured account units.

Re: LDAP Account Unit

the_rock — Mon, 26 Feb 2024 12:39:32 GMT

Ok, lets take step back. Please confirm.

1) Is LDAP account unit created?

2) If so, do you have all servers configured needed?

and

3) If yes to both 1 and 2, can you fetch the branches?

Best,

Andy

Re: LDAP Account Unit

Unon — Mon, 26 Feb 2024 12:47:15 GMT

Yes to 1 and 2 no on the 3 maybe because I missed something in the server configuration or networking problems I'm gonna fix later. Is that the problem? shouldn't the ldap account unit be associated with the gateway anyway wether it works or not? When I say associate I mean that if I see where it's used

Re: LDAP Account Unit

the_rock — Mon, 26 Feb 2024 12:52:46 GMT

Well, if thats the case, it will never work sadly. Can you communicate with the server from the fw itself? Did you make sure rule allows it? See, if unit is there, thats fantastic, BUT, if the communication is failing, then its not very useful. The only time fetching the branches would not work is if you use S1C instance, because thats expected, otherwise, if its on-prem, it has to work, for sure. Can you ping the fw from the AD at all?

Best,

Andy

Re: LDAP Account Unit

Unon — Mon, 26 Feb 2024 12:59:06 GMT

No currently I have networking problems so I wanted to start by first configure everything on the gateway side and than tackling the problems. I understand from you that it's impossible to do it that way so I will work to fix these issues and see if things are improving

Thanks a lot for your help!

Re: LDAP Account Unit

the_rock — Mon, 26 Feb 2024 13:22:21 GMT

No problem at all. By the way, as a side note, I would NOT use ad query, opt out for AD instead. See great discussion in below post.

Best,

Andy

https://community.checkpoint.com/t5/Security-Gateways/New-IA-Implementation/m-p/185851#M34184

Re: LDAP Account Unit

Unon — Mon, 26 Feb 2024 16:37:20 GMT

Thanks for the reference!

I read it a bit and I have a question out of curiosity. Let's say I want to implement identity awareness by using an Identity collector. Am I required to create ldap account unit? From what you cited seems like it's not a necessity but in some documentations it's seems like it is for reading logs. I'm trying to understand how to properly implement IA according to the best practice

Re: LDAP Account Unit

the_rock — Mon, 26 Feb 2024 16:42:07 GMT

ldap account unit has to be there...thats how groups are pulled. You can uncheck ad query setting and simply have ic on.

I will send you screenshot later.

Andy

Re: LDAP Account Unit

Unon — Mon, 26 Feb 2024 16:52:49 GMT

Ok thanks!

Re: LDAP Account Unit

the_rock — Mon, 26 Feb 2024 16:53:15 GMT

Re: LDAP Account Unit

the_rock — Mon, 26 Feb 2024 17:27:02 GMT

Btw, when you enable IA blade, you dont even need to go through wizard, just enable the blade, cancel the screen and then save, go back and simply enable IC option, configure settings there, save, install policy, test.

Andy

Re: LDAP Account Unit

Unon — Mon, 26 Feb 2024 17:21:43 GMT

Really? Than how I associate the ldap account unit object with the gateway?

Re: LDAP Account Unit

the_rock — Mon, 26 Feb 2024 17:24:56 GMT

NO : - ). That is not how you associate it. You need to have ldap acccount unit there, thats it. AD query does NOT need to be enabled in the wizard. We have many customers who have ldap account unit and dont even have IA blade enabled, its fine. Only downside is that without ia blade on, you cannot use access roles, which is helpful. Otherwise, logs will have usernames contained in them, it works fine even without ia blade enabled.

Best,

Andy