Introduction

When enabling the Identity Awareness feature on a Check Point gateway, instead of using Active Directory Query, it’s best to configure Identity Collector as the Identity Source.

Identity Collector requires installing an agent on a Windows server joined to your local domain (it’s not needed to install it directly on the Domain Controller).

Identity Collector agent can be downloaded from the SmartConsole (see screenshot below) or from SK 134312 (https://support.checkpoint.com/results/sk/sk134312).

Follow the Wizard to install the agent, and before configuring the agent, prepare the configuration on the Security Gateway.

Enabling Identity Collector sources

Open the Security Gateway object and select the Identity Awareness section; check the option Identity Collector.

Then click the Settings… button to configure the feature. A pop-up window will appear; in this window, you’ll define the servers (more than one for redundancy) where the Identity Collector is installed.

For every agent, you’ll define the client secret. This key will be configured into the agent in the next steps.

Save the selected client secret for every client configured. You’ll use this information when configuring the agent.

These settings allow you to define the accessibility from the agent to the gateway.

Once you have completed this configuration, you can install the policy to apply it to the gateway.

As a next step, you’ll configure the agent.

Configuring the Collector agent

Connect to the server where the Identity Collector agent is installed and open the user interface.

Now, configure first the Domain and the sources from which the agent will receive the logon events.

You can configure the domain manually, by adding every domain controller you want, or perform an automatic fetch (this is the suggested option).

Go to the Identity Sources section, and click to create a new Active Directory entry, then select Fetch Automatically.

A new popup window will open, complete the configuration by adding the credentials for a user that is a member of the default Event Log Readers group, and the IP address, or hostname, of the primary domain controller.

Use the Test button to verify the communication between the agent and the domain controller.

If successful, click the OK button to apply the configuration and fetch the domain controllers from the Active Directory domain.

The next step is to configure the query pool and start receiving logon events.

If the connection to the Active Directory is working, you should see a list of available domain controllers; you can select all the servers, or only the domain controller you need.

Click OK when finished.

In the main window of the Identity Sources section, check if the counters increase.

If yes, then communication between the agent and the Active Directory domain is working correctly.

To complete the configuration, you need to add the gateway from the Gateways section, click the highlighted button to configure the entry.

In the pop-up window that appears, define the IP address of the gateway. If it’s a cluster, use the cluster IP address.

Insert the shared secret previously configured on the gateway, then select the query pool defined during the configuration of the identity sources and click the Test button to verify the connection to the gateway.

The agent will connect to the firewall using HTTPs connection; accept the fingerprint of the gateway’s certificate, this should be the result.

Check the counters in the main window of the Gateways section if they’re increasing and the agent is connected to the firewall.

IMPORTANT: the certificate trusted by the agent is the certificate used by the platform portal of the gateway; if on a gateway you’ve imported a third-party certificate, then the fingerprint will refer to that certificate.

When the certificate is renewed, you need to update it on the Identity Collector agent. You’ll find an update button in the configuration settings for the gateway you configured on the agent.

Additional configuration

Identity Collector agent allows you to define a filter to include or exclude networks, users, etc. from the information that the gateway will receive (the same as you can configure in the Active Directory query settings).

Additional information

When everything is configured, you can check the logon events from the Logins Monitor; enable the monitor by clicking the button highlighted in the following screenshot.

The information for the users will be displayed.

Author: @simonemantovani