topic Re: Identity Collector is now GA in General Topics

Identity Collector is now GA

PhoneBoy — Thu, 04 May 2017 16:48:38 GMT

Check Point Identity Collector is a Windows-based application which collects information about identities and their associated IP addresses, and sends it to the Check Point Firewalls for identity enforcement. The identities are collected from the following servers:

Microsoft Active Directory Domain Controllers.
Cisco Identity Services Engine (ISE) Servers, versions 2.0, 2.1 and 2.2 - see sk108235.

Identity Collector Key Benefits over Standard AD Query

Reduces the load on the Security Gateway - the agent is doing the queries instead of the Security Gateway.
Reduces the load on the DCs - the native Windows API used consumes less resources.
The Identity Collector requires no administrator or administrator-like permissions. Only permission required is read-only access to the domain security logs.
One Identity Collector can serve multiple gateways, even from different CMA.

Identity Collector will be part of R80.10 GA. It can also be utilized on R77.30 and R77.20 with a hotfix that can be obtained through the TAC.

For more details: Identity Collector Technical Overview

Re: Identity Collector is now GA

Raj_Khatri — Fri, 05 May 2017 11:54:09 GMT

Thanks Dameon for the update. We have been using the AD Query Agent for the past 2 years which was in EA. Do you know if the R77.20/R77.30 standalone hotfix will be integrated into a newer jumbo take?

Re: Identity Collector is now GA

Quinn_Yost — Fri, 05 May 2017 14:24:56 GMT

About time! I presume the hotfix is the same as required for vSec enforcer?

Re: Identity Collector is now GA

PhoneBoy — Fri, 05 May 2017 18:42:49 GMT

Not sure what the plan is with respect to integrating with the Jumbo Hotfix. I believe it can be applied on top of current jumbo hotfixes, but check with the TAC to confirm.

Re: Identity Collector is now GA

Magnus_Holmberg — Sun, 21 May 2017 05:59:33 GMT

been using it for years now and working great, would love to see it integrated to general HFA for R77.30.

Re: Identity Collector is now GA

Doeschi — Sun, 21 May 2017 19:47:22 GMT

Hi Phoneboy,

thanks for the info, we've been discussing the collector on the CPX in Milan with Peter Elmer. We're acutally waiting for an additional feature for the last few years. As we'd like to replace the Client Auth Rules with Identity Based Rules (IA), we miss the opportunity to use/force strong authentication.

Ideas that came into my mind when we learned about the Identity Collector:

Make a web-based portal on the Indentity Collector quite similar to the one on the Firewall Module for Client Auth, so the user can use SecurID Tokens to authenticate.
The Identity Collector itself does note the quality of authentication of each identity (simple/plain auth learned from the AD, strong auth for those who used the portal on the Identity Collector). This information must be shared between all Identity Collectors.
The Firewall Module will learn the quality of the authentication along to the identity
In the firewall policy one can select per rule which quality of authentication is needed. (IA with plain auth/IA with strong auth)

Let me know, what you guys think about that. For me, this will be a great addition to a new great solution from Check Point.

Regards

Roger

Re: Identity Collector is now GA

Brian_Deutmeyer — Mon, 22 May 2017 02:48:46 GMT

Good luck integrating IDC HF with vSEC HF... I was told it couldn't be done on 77.20... Both are integrated in 80.10...

Re: Identity Collector is now GA

Magnus_Holmberg — Mon, 22 May 2017 05:06:49 GMT

Hi,

the web-based portal is something we have asked R&D for the last 2 years we have been using the clients, not for strong auth but to make it easier for the linux/MAC guys. Currently they need to login to diffrente webpages depending in what country they are in.
And if we would have it on the IC server instead, then we could share the identity across the board on all CMA.
So thats something that would help very much.

Second part of agent is to understand the redundancy you get as there is really no HA, cluster etc.
Would be nice if you could get the Agents to atleast see eachother if they are up or not.

Agreeing with the strong auth as a BYOD senario would be easier to achive if the rules could demand strong auth based on 2 factor or similar on the webportal.

Regards,
Magnus

Re: Identity Collector is now GA

Tzvi_Katz — Mon, 22 May 2017 14:36:12 GMT

Hi Magnus,

1. For Web based portal - Why not not log to a specific PDP portal and configure Identity Sharing to share info with the enforcing gateways?

2. For Cross CMA identity Sharing - We are not about to add everything but the kitchen sink to the identity collector just to overcome the cross CMA issues but to address them in the gateway level. There is an RFE being worked to provide PDP to PDP identity sharing over REST to overcome the SIC limitations.

3. Identity agents HA - We will add to the subsequent release a view of last reported time from each client. Our best practice guideline is to use an Active-Active formation - have two agents report the same information to the PDP's.

4. Our vision for authentication enforcement is to have as part of the access role to enable to choose the selected realm and identity source, but this is something in the longer term roadmap.

Regards,

Tzvi Katz - Identity Awareness and Access Clients R&D GM

Re: Identity Collector is now GA

Tzvi_Katz — Mon, 22 May 2017 14:53:19 GMT

Hi Roger,

Please find the answer I had provided Magnus om the same thread.

Essentially there is no need for a portal on the Identity Collector for that, but to enhance the gateway/management side.

Currently the Identity Awareness captive portal do support SecurID as a matter of fact.

As I had answered Roger we have a product vision to extend the authentication scheme to a unified one (see remote access client multi login options) to all of Check Point components are enforce the login option as part of the access role.

Re: Identity Collector is now GA

Magnus_Holmberg — Mon, 22 May 2017 15:04:24 GMT

Hi Tzvi,

1, 2: Sharing between gateways is about step number 2 or 3 that R&D always ask us to turn off.
Yes we have done sharing within CMA before between GW.
When we ask R&D about sharing between CMA they say ok its possible but hard to do and not recommended with the amount of users/objects we have.

If you can cross share between domains with high number of users we would love to do that.
Second part why we would like it in the IC is that then we could possible have it from multiple domains as we recently was bought by another ISP and it will take years before all is integrated fully.

3: Sure but one comment i know we and other customers have had is the issue on seeing if it stops or not, it has been solved with monitoring on server side ofc.
But it would be nice to get a logentry saying: "lost identity collector" or similar. in the log.

4: Sure thing.

But we will submit and RFC and then you guys can check if multiple customers wants the same to be added.
Just because checkpoint want you to do in a specific way its not always the way that the customers wants to have it.We see it as a great benefit if we can get all IA from one source and connect the citrix, portal etc to the agent as well.

/Magnus

Re: Identity Collector is now GA

Doeschi — Mon, 22 May 2017 16:03:26 GMT

Hi Tzvi,

First, thank you for the answer. Well, using the Identity Awareness Captive Portal doesn't solve the problem sharing the Identity over Cross CMA as well as handling multiple domains. Thus, it'll reduce the load on the gateways, if there's a possibility to "outsource" that feature to a system like the IC.

To my opinion, Magnus and I share the same idea of having 1 system (with possible HA solution) to collect the identities as well as the "used" authentication method and share it with all gateways independently of their Management Systems / Domains. Along with extending the IA access role with the auth scheme as you already "visioned", the solution would be perfect and a great benefit for all IA users.

Regards

Roger

Re: Identity Collector is now GA

Brian_Deutmeyer — Mon, 22 May 2017 17:37:23 GMT

In regards to sharing between CMAs, I just set up a PDP for each CMA and had the IDC send identities to each PDP. Those PDPs can then share the identities with all the gateways in each respective domain.

So if you have 2 domains, each domain will have its own PDP and the IDC will send the same identities to both PDPs to be shared.

Re: Identity Collector is now GA

Dor_Marcovitch — Wed, 16 May 2018 06:39:27 GMT

can we use the identity collector to aggregate identities from the terminal server's MUH agent for multiple gateways?

Re: Identity Collector is now GA

Doeschi — Wed, 16 May 2018 08:19:19 GMT

Hi Dor,

This is a good idea and goes along the ideas we raised a year ago. It would be great, if the identity collector would be the "single point of contact" regarding identities used for authorization within Check Point products. To achieve this, the identity collector should be capable to collect the identities from the AD and the ISE (as it works now) but also from the IA Agents and the MUH agents. And, it should also make a difference of people with weak authentication (like username / password on windows logon) and people with priviledged access that has to use strong authentication (2-factor auth) and mark the identities accordingly. Then on the security gateway the firewall admin can decide per rule, if no auth, weak auth or strong auth is needed to match the rule.

Regards

Roger

Re: Identity Collector is now GA

PhoneBoy — Wed, 16 May 2018 16:40:57 GMT

As far as I know, not currently, though it sounds like a good idea.

Tzvi Katz‌, maybe something to consider?

Re: Identity Collector is now GA

Tzvi_Katz — Tue, 22 May 2018 08:41:40 GMT

Hi Dameon,

The identity collector purpose is to collect identities from external sources. The PDP should be the source of the logic.

So what Roger had essentially requested is to add to an access role the capability to specify the identity source or the realm used for authentication.

Re: Identity Collector is now GA

Tzvi_Katz — Tue, 22 May 2018 08:42:58 GMT

Hi Dor,

The PDP can perform the identity sharing of MUH sessions, no need for the IDC to own such capability.

Re: Identity Collector is now GA

Dor_Marcovitch — Tue, 22 May 2018 08:52:04 GMT

why not consolidating the "collection role" of identities from external resources to one entity (IDC) instead of using identity sharing between all the FWs ?

then you can also change the update channel of identities from the FW to the IDC.. than you will get some kind of a Star topology for the identity sharing process and if you add the ability to have 2 different servers as the IDC you get even

more redundancy (IDC installed on a VM server which can be redundant on multiple physical servers on multiple datacenters)

Re: Identity Collector is now GA

Doeschi — Tue, 22 May 2018 09:01:20 GMT

Not to mention the offload of the https sessions from the IA Agents to the IDC instead to the already busy firewalls in a large scale deployment. Thus identity sharing with the need of that ridiculous hide-nat configuration could be fully replaced by IDC... and even cross-CMA.