This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
RemoteUser
Advisor
‎2025-10-23 11:57 PM
Jump to solution

Can I implement Identity Awareness without using a PDP/PEP Broker?

Hi everyone,

I’m working on an Identity Awareness deployment on Check Point and I’d like some clarification.

I understand that in large or complex environments, the PDP/PEP Broker is used to centralize identities and share them across multiple gateways. What I’m not sure about is:

  • Is it possible to configure Identity Awareness directly on the gateway without relying on a Broker?

  • In which scenarios is it sufficient to enable IA using methods like AD Query, Identity Collector, or Captive Portal directly on the firewall?

  • When is an Identity Broker actually required (e.g. multi-gateway environments, distributed clusters, or multiple AD domains)?

I’d like to confirm whether, in a relatively simple setup (a single cluster and one AD domain), everything can be done without a Broker, or if there are hidden limitations I should be aware of.

Thanks in advance.

3 Solutions

Accepted Solutions
Alex-
MVP Silver
MVP Silver
‎2025-10-24 12:29 AM
Jump to solution

For a simple deployment with just a cluster and a single domain, you can use the Identity Collector and you don't need brokers or identity sharing. The Identity Collector doesn't require domain admin rights which is preferred. From there you can use other methods like Captive Portal for instance.

View solution in original post

Alex-
MVP Silver
MVP Silver
‎2025-10-24 03:05 AM
Jump to solution

Interesting sources:

sk86441 ATRG: Identity Awareness

Tech Talk Identity Awareness Best Practices

View solution in original post

the_rock
MVP Platinum
MVP Platinum
‎2025-10-24 05:08 AM
Jump to solution

Hey bro,

Yes, 100% you can use simple setup without a broker, works fine, no limitations at all.

What @Alex- gave are great references.

Best,
Andy

View solution in original post

0 Kudos
5 Replies
Alex-
MVP Silver
MVP Silver
‎2025-10-24 12:29 AM
Jump to solution

For a simple deployment with just a cluster and a single domain, you can use the Identity Collector and you don't need brokers or identity sharing. The Identity Collector doesn't require domain admin rights which is preferred. From there you can use other methods like Captive Portal for instance.

Alex-
MVP Silver
MVP Silver
‎2025-10-24 03:05 AM
Jump to solution

Interesting sources:

sk86441 ATRG: Identity Awareness

Tech Talk Identity Awareness Best Practices

the_rock
MVP Platinum
MVP Platinum
‎2025-10-24 05:08 AM
Jump to solution

Hey bro,

Yes, 100% you can use simple setup without a broker, works fine, no limitations at all.

What @Alex- gave are great references.

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-10-24 11:27 AM
Jump to solution

One more reference.

https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_IdentityAwareness_AdminGuide/CP_R8...

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
‎2025-10-24 03:14 PM
Jump to solution

Identity Broker is used to achieve better scalability reasons in larger environments.
It also enables certain use cases like one-way sharing of identity data as well as cross-SIC domain sharing.
For simple deployments with on-prem AD, Identity Collector is your best bet.
ADQuery is not recommended any longer due to security and scalability issues with WMI.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events