topic Re: AD Integration with Checkpoint in Firewall and Security Management

AD Integration with Checkpoint

Matlu — Mon, 10 Jul 2023 16:20:10 GMT

Hello,

One question, for the integration of the AD with the Checkpoint Firewall, is it necessary to use the "domain admin" account ???? Or how many privileges must have the server account, to be able to integrate the AD with Checkpoint? My customer does not want to "provide" the main domain admin accounts.

Thanks for your comments.

Re: AD Integration with Checkpoint

Wolfgang — Mon, 10 Jul 2023 18:46:08 GMT

Short answer, it‘s not necessary to use a domain admin account.

For Identity Collector you need a user with memberships the „Event Log Readers group“

To browse the Active Directory, getting identities and reading groupmemberships you need a user with read rights in all OUs you want to read.

Re: AD Integration with Checkpoint

PhoneBoy — Mon, 10 Jul 2023 22:44:51 GMT

For AD Query integration, you MUST use the Domain Admin account.
For Identity Collector, the account used must have the ability to read Security Event Logs.
For LDAP group lookups (regardless of method), only an account that is able to read the directory is required.

Re: AD Integration with Checkpoint

Wolfgang — Tue, 11 Jul 2023 05:01:20 GMT

@PhoneBoy for AD query ther's no need to use an domain admin account Using Identity Awareness AD Query without Active Directory Administrator privileges on Windows Server 2008 and higher

Because of the new security features in newer windows releases AD query should not be used and it's not working without lowering the security on the windows server.

Re: AD Integration with Checkpoint

PhoneBoy — Tue, 11 Jul 2023 06:18:07 GMT

I thought the recent changes Microsoft made broke all this?
Still, I agree: use Identity Collector.

Re: AD Integration with Checkpoint

Wolfgang — Tue, 11 Jul 2023 06:30:51 GMT

from AD Query cannot access DC server when AD Query is configured for non-admin user workaround 2 states using a member of domain admin group. But does not work with the newest windows releases.

@Matlu forget about AD query. Identity Collector, Identity Agent, MUH agent are the working solutions.

Re: AD Integration with Checkpoint

Matlu — Tue, 11 Jul 2023 23:45:35 GMT

Hello,

One doubt, for the Identity Collector, is it mandatory that the AD account used belongs to the group "Event Log Readers"?

It is not possible to work this integration with an "any" user of the AD, which is in "read only" mode?

Greetings.

Re: AD Integration with Checkpoint

the_rock — Wed, 12 Jul 2023 00:14:31 GMT

I tried that sk with 4 different customers in the past, every time even TAC was on the phone, and we got it working once for like 1 day and then broke and could not be fixed again, so we just gave up on it.

Re: AD Integration with Checkpoint

the_rock — Wed, 12 Jul 2023 00:19:06 GMT

It must be able to read security event logs.

Re: AD Integration with Checkpoint

Matlu — Wed, 12 Jul 2023 01:01:29 GMT

I will give that "option" to the client, because being a state entity, their policies are really a headache.
They don't want to provide a user from the "Event Log Readers" group, as a "precaution".
Hence my query.

Re: AD Integration with Checkpoint

the_rock — Wed, 12 Jul 2023 01:08:01 GMT

We all encounter clients like that, my friend : - )

Re: AD Integration with Checkpoint

Wolfgang — Wed, 12 Jul 2023 05:24:23 GMT

@Matlu in a similar case we used the Identity Agent on the endpoint. You need local admin rights on the endpoint to install the agent but only for install. Agent can be configured to use SSO with the user authenticated on the endpoint.

Identity Agent for a User Endpoint Computer - Configuring as Identity Source