https://community.checkpoint.com/t5/General-Topics/Can-I-implement-Identity-Awareness-without-using-a-PDP-PEP/m-p/260794#M44118 <P>Interesting sources:</P> <P><A href="https://support.checkpoint.com/results/sk/sk86441" target="_blank" rel="noopener"><SPAN>sk86441 ATRG: Identity Awareness</SPAN></A></P> <P><A href="https://community.checkpoint.com/t5/Security-Gateways/Identity-Awareness-Best-Practices-October-2025-Video-and-Slides/m-p/259579" target="_blank" rel="noopener"><SPAN>Tech Talk Identity Awareness Best Practices</SPAN></A></P> Fri, 24 Oct 2025 10:05:13 GMT Alex- 2025-10-24T10:05:13Z https://community.checkpoint.com/t5/General-Topics/Can-I-implement-Identity-Awareness-without-using-a-PDP-PEP/m-p/260777#M44115 <P data-start="159" data-end="188">Hi everyone,</P> <P data-start="190" data-end="291">I’m working on an Identity Awareness deployment on Check Point and I’d like some clarification.</P> <P data-start="293" data-end="471">I understand that in large or complex environments, the PDP/PEP Broker is used to centralize identities and share them across multiple gateways. What I’m not sure about is:</P> <UL data-start="473" data-end="864"> <LI data-start="473" data-end="580"> <P data-start="475" data-end="580">Is it possible to configure Identity Awareness directly on the gateway without relying on a Broker?</P> </LI> <LI data-start="581" data-end="730"> <P data-start="583" data-end="730">In which scenarios is it sufficient to enable IA using methods like AD Query, Identity Collector, or Captive Portal directly on the firewall?</P> </LI> <LI data-start="731" data-end="864"> <P data-start="733" data-end="864">When is an Identity Broker actually required (e.g. multi-gateway environments, distributed clusters, or multiple AD domains)?</P> </LI> </UL> <P data-start="866" data-end="1061">I’d like to confirm whether, in a relatively simple setup (a single cluster and one AD domain), everything can be done without a Broker, or if there are hidden limitations I should be aware of.</P> <P data-start="1063" data-end="1124">Thanks in advance.</P> Fri, 24 Oct 2025 06:57:39 GMT https://community.checkpoint.com/t5/General-Topics/Can-I-implement-Identity-Awareness-without-using-a-PDP-PEP/m-p/260777#M44115 RemoteUser 2025-10-24T06:57:39Z https://community.checkpoint.com/t5/General-Topics/Can-I-implement-Identity-Awareness-without-using-a-PDP-PEP/m-p/260782#M44116 <P>For a simple deployment with just a cluster and a single domain, you can use the Identity Collector and you don't need brokers or identity sharing. The Identity Collector doesn't require domain admin rights which is preferred. From there you can use other methods like Captive Portal for instance.</P> Fri, 24 Oct 2025 07:29:43 GMT https://community.checkpoint.com/t5/General-Topics/Can-I-implement-Identity-Awareness-without-using-a-PDP-PEP/m-p/260782#M44116 Alex- 2025-10-24T07:29:43Z https://community.checkpoint.com/t5/General-Topics/Can-I-implement-Identity-Awareness-without-using-a-PDP-PEP/m-p/260794#M44118 <P>Interesting sources:</P> <P><A href="https://support.checkpoint.com/results/sk/sk86441" target="_blank" rel="noopener"><SPAN>sk86441 ATRG: Identity Awareness</SPAN></A></P> <P><A href="https://community.checkpoint.com/t5/Security-Gateways/Identity-Awareness-Best-Practices-October-2025-Video-and-Slides/m-p/259579" target="_blank" rel="noopener"><SPAN>Tech Talk Identity Awareness Best Practices</SPAN></A></P> Fri, 24 Oct 2025 10:05:13 GMT https://community.checkpoint.com/t5/General-Topics/Can-I-implement-Identity-Awareness-without-using-a-PDP-PEP/m-p/260794#M44118 Alex- 2025-10-24T10:05:13Z https://community.checkpoint.com/t5/General-Topics/Can-I-implement-Identity-Awareness-without-using-a-PDP-PEP/m-p/260800#M44119 <P>Hey bro,</P> <P>Yes, 100% you can use simple setup without a broker, works fine, no limitations at all.</P> <P>What&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/10384">@Alex-</a>&nbsp;gave are great references.</P> Fri, 24 Oct 2025 12:08:04 GMT https://community.checkpoint.com/t5/General-Topics/Can-I-implement-Identity-Awareness-without-using-a-PDP-PEP/m-p/260800#M44119 the_rock 2025-10-24T12:08:04Z https://community.checkpoint.com/t5/General-Topics/Can-I-implement-Identity-Awareness-without-using-a-PDP-PEP/m-p/260824#M44124 <P>One more reference.</P> <P><A href="https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_IdentityAwareness_AdminGuide/CP_R82_IdentityAwareness_AdminGuide.pdf" target="_blank">https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_IdentityAwareness_AdminGuide/CP_R82_IdentityAwareness_AdminGuide.pdf</A></P> Fri, 24 Oct 2025 18:27:40 GMT https://community.checkpoint.com/t5/General-Topics/Can-I-implement-Identity-Awareness-without-using-a-PDP-PEP/m-p/260824#M44124 the_rock 2025-10-24T18:27:40Z https://community.checkpoint.com/t5/General-Topics/Can-I-implement-Identity-Awareness-without-using-a-PDP-PEP/m-p/260831#M44126 <P>Identity Broker is used to achieve better&nbsp;scalability reasons in larger environments.<BR />It also enables certain use cases like one-way sharing of identity data as well as cross-SIC domain sharing.<BR />For simple deployments with on-prem AD, Identity Collector is your best bet.<BR />ADQuery is not recommended any longer due to security and scalability issues with WMI.</P> Fri, 24 Oct 2025 22:14:33 GMT https://community.checkpoint.com/t5/General-Topics/Can-I-implement-Identity-Awareness-without-using-a-PDP-PEP/m-p/260831#M44126 PhoneBoy 2025-10-24T22:14:33Z