topic Re: Identity Agent vs Identitiy Collector -- AD Query in General Topics

Identity Agent vs Identitiy Collector -- AD Query

ShadowNif — Thu, 21 Nov 2024 15:57:09 GMT

Hello,

I was trying to find out what is exactly how does the Identity agent send the info to the ID Awareness Server.
Could not find exactly an SK that tell me directly what happened on the Agent side.

I already installed and configured the ID Agent on the Gateway (Identity source). I see that the Identity source when users connect with the identity Agent .. Although, in how does the Gateway learn the AD Groups that user in?
Does the Agent collect this information from the user and send it to the PDP ? In this case, any changes in the AD should be followed with gpupdate on the client side, so the agent learns those changes ?

And in this scale of 3000 users, is it ok to keep the Agent or recommended moving to Collector?
Which one is better for AD traffic ? I don't want to send many request to AD. Although the Agent gets them from user PC which already make the connection to the AD. But the collector is up-to-date.

I could not find much info regarding this subject on the Checkpoint site...

Re: Identity Agent vs Identitiy Collector -- AD Query

AkosBakos — Thu, 21 Nov 2024 16:22:00 GMT

Hi @ShadowNif

Frist have a look at on the best practices: https://support.checkpoint.com/results/sk/sk88520

I have exprience with 2000 user and they use Identity Agent. No problem, works fine.

I would push you to the IA Collector way in a large environment. Easier to keep up to date the version, no need to change/update agents on the endpoints (where a lot of agent have already installed on the machines).

It would be enough to handle the Terminal server agent on the jumphosts etc.

What is under the hood in IA? The answer: ATRG: Identity Awareness

Akos

ps.: i will search for detailed explanation of the IA agent.

update i: https://sc1.checkpoint.com/documents/Identity_Awareness_Clients_Admin_Guide/Content/Topics/Identity-Agent-for-Endpoint-Computer.htm

Re: Identity Agent vs Identitiy Collector -- AD Query

the_rock — Thu, 21 Nov 2024 17:25:01 GMT

Have a look at this discussion, I believe it will help you lots.

Andy

https://community.checkpoint.com/t5/Security-Gateways/New-IA-Implementation/m-p/185851#M34184

Re: Identity Agent vs Identitiy Collector -- AD Query

Lesley — Thu, 21 Nov 2024 19:14:42 GMT

On the gateway object i would recommend idc. 2 servers would be the best. It is not a ‘cluster’ then but it helps if something happens on one server. You don’t need to run a separate server special for idc it can share the server with other stuff 😃

Most customers do not want idc on their dc tho. Also do not enable adquery on gateway object only idc. Just make a ldap account unit in SmartConsole

Re: Identity Agent vs Identitiy Collector -- AD Query

PhoneBoy — Thu, 21 Nov 2024 21:58:14 GMT

The most accurate way to obtain identity is via the agent as it is closest to the user.
All identity methods (except SAML ones) get groups via an LDAP Query via the relevant Active Directory server.

Re: Identity Agent vs Identitiy Collector -- AD Query

ShadowNif — Fri, 22 Nov 2024 05:25:31 GMT

Thnx for the answers,
Although this still does not answer my question, how does the Gateway learn the AD Groups that the user has in the Identity Agent setup?
Does the ID agent connect to AD, take the info and forward it to the Gateway/PDP ?

Re: Identity Agent vs Identitiy Collector -- AD Query

ShadowNif — Fri, 22 Nov 2024 05:27:47 GMT

who makes the Query in case of the Identity Agent setup ? The ID agent ? Does the gateway need to connect the AD after that ?

Re: Identity Agent vs Identitiy Collector -- AD Query

ShadowNif — Fri, 22 Nov 2024 05:30:29 GMT

Still does not explain how does the Agent optain the infos about user groups !

Re: Identity Agent vs Identitiy Collector -- AD Query

ShadowNif — Fri, 22 Nov 2024 05:33:41 GMT

Ya ive gone through those article before i posted my question. but non of them says exactly what or how does the agent works.
If i updated something in AD, should i do gpupdate on the client side so that the Agent knows the new changes, Or it connects to the AD and take the info and give it to the PDP. Although the agent System does not even know that there changes ... how does it exactly work!!?

Re: Identity Agent vs Identitiy Collector -- AD Query

AkosBakos — Fri, 22 Nov 2024 08:16:06 GMT

Hi @ShadowNif

Just open a TAC case, and ask them to give a resolution of IA working.

They 100% have a detailed description of IA flow.

Akos

Re: Identity Agent vs Identitiy Collector -- AD Query

the_rock — Fri, 22 Nov 2024 11:30:16 GMT

page 106

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_IdentityAwareness_AdminGuide/CP_R81_IdentityAwareness_AdminGuide.pdf

Re: Identity Agent vs Identitiy Collector -- AD Query

the_rock — Fri, 22 Nov 2024 11:35:16 GMT

Also, see below what TAC sent me while back when I worked with client that mostly had MAC os in their company.

Andy

*********************

The MacOS identity agent would offer an alternative to AD Query, since the domain controller is not providing the proper events we need to do AD Query for the MacOS hosts. The agent would authenticate with the gateway, which would in turn authenticate against the AD. This should allow the gateway to enforce user-based identities for MacOS clients.

The captive portal may also be another option should they not wish to install the Identity Agent on the MacOS hosts but, unlike the Agent, has difficulty distinguishing between multiple users behind the same IP address.

******************************

Re: Identity Agent vs Identitiy Collector -- AD Query

PhoneBoy — Fri, 22 Nov 2024 14:47:31 GMT

The gateway (the PDP specifically) makes the LDAP query based on the configured LDAP Account Unit(s).

Re: Identity Agent vs Identitiy Collector -- AD Query

Vanness_Chen — Thu, 22 Jan 2026 09:04:33 GMT

Hi experts,

Sorry for replying to this older thread, but I’m really in need of some ideas to help resolve an ongoing issue.

The customer is running an R81.20 VSX environment. There are 5 VS instances with Identity Awareness (IC) enabled, and each VS is associated with two IDC Servers for redundancy. Each IDC Server, in turn, is connected to more than 40 Domain Controllers.

On the Security Gateway, running pep show pdp all shows that the number of users exceeds 40,000.

The customer relies heavily on Access Roles to control Internet access, so the stability of Identity Awareness is critical. However, they frequently report that during morning peak hours, a small number of users—who should already be authorized by Access Roles—are unable to access the Internet.

When checking the logs, we found that for the affected users, there is often a delay of more than 30 minutes between the time their PCs connect to the network after booting and the time their Identity login is successfully completed.

Over the past two years, we have opened countless support cases, but we still cannot guarantee stable behavior.
Are there any other approaches or best practices that could help improve this situation?

Re: Identity Agent vs Identitiy Collector -- AD Query

Vincent_Bacher — Thu, 22 Jan 2026 09:48:32 GMT

We worked with same amount of IA sessions as well, up to 50k simultaneous sessions. Reading your post there are several points coming into my mind. For exampe if ALL collected sessions are relevant for your use case internet access or do you see any options to filter out sessions. Reduced amount of sessions will reduce amount of load on the PEP. I speak from painful experience.

In addition it would be helpful if you could share details of your IA configuration to better understand what is going on.

First idea:

We only do IDC with an ISE and not with AD controllers, but we have experience with many sessions.
I would therefore recommend reducing the load on the PEPS, i.e. the VSX firewalls, when there are so many sessions.
I would therefore not connect the IDC directly to the PEP, but would set up an upstream PDP instance. The IDCs are then connected to these PDP devices. The sessions are then passed on to the VS via identity sharing. This should take a lot of load off the VS.

Re: Identity Agent vs Identitiy Collector -- AD Query

PhoneBoy — Thu, 22 Jan 2026 16:54:24 GMT

Worth noting that in the R82.10 release, we've made several improvements to resilience and scalability in Identity Awareness.