Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Ivory

Identity Awareness setup

Hi All,

I will be setting up Identity Awareness in an R80.10 MDS environment. We will be using Identity collects to communicate with the DCs and provide what is in the security logs to the firewall. After reading the documentation I have some questions regarding setup and usage. Thanks in advance:

 

1) I have read the following identity collection requirement:

"Identity collector provides information about users, machines and IP addresses to the Security Gateway. LDAP Account Unit(s) should be configured to allow PDP gateways to perform group lookups on IDs that are provided from Identity Collector to match them to Access Roles."

 

If an account unit is created in the domain (checkpoint local domain NOT active directory) and applied to the firewall object under firewall properties - others - user directory. Is that all I need to perform this requirement?

2) There is no way to apply an account unit I created in global directory (at least not that I can find). Does this mean I cannot use global rules with identity awareness since the global account unit would not be assigned to the firewall to perform global lookups?

 

3) Is there anyway to create rules for individual users opposed to groups?

 

Thanks,

Josh

 

 

 

 

 

 

 

 

 

0 Kudos
3 Replies
Highlighted
Pearl

Re: Identity Awareness setup

Actually, I'd like to get some clarity on this statement too:

"Identity collector provides information about users, machines and IP addresses to the Security Gateway. LDAP Account Unit(s) should be configured to allow PDP gateways to perform group lookups on IDs that are provided from Identity Collector to match them to Access Roles."

I thought that the Identity Collector was, in part, used to circumvent the necessity of creating the Administrative account for Check Point's LDAP Account unit.

But looks like it is required anyway for IA to work as intended. 

0 Kudos
Highlighted
Ivory

Re: Identity Awareness setup

Hey Vladimir,

 

I do know in my readings that the collector only gets events from the domain security logs (user login/logout info). The collector then sends these usernames to the gateways to match it with an IP address BUT its only one part of the total equation. The gateway still needs match this username to  AD groups and memberships hence the need for the LDAP account unit. Once you have this piece you can make access role objects and query anything in the AD directory for the gateway to enforce.

Josh

0 Kudos
Highlighted
Admin
Admin

Re: Identity Awareness setup

The Identity Collector just obtains the usernames.
LDAP Lookups still occur at the gateway level and those are tied to a specific domain, not global.
Which likely means you cannot configure LDAP groups at a global level, but @Royi_Priov should comment further.

If you want to create a user-specific rule, isn't that just a matter of defining an access role for the specific user in question?

0 Kudos