Ya ive gone through those article before i posted my question. but non of them says exactly what or how does the agent works. 
If i updated something in AD, should i do gpupdate on the client side so that the Agent knows the new changes, Or it connects to the AD and take the info and give it to the PDP. Although the agent System does not even know that there changes ... how does it exactly work!!? 

Still does not explain how does the Agent optain the infos about user groups !

Hi @ShadowNif 

Just open a TAC case, and ask them to give a resolution of IA working.

They 100% have a detailed description of IA flow.

Akos

page 106

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_IdentityAwareness_AdminGuide/CP_R8...

Also, see below what TAC sent me while back when I worked with client that mostly had MAC os in their company.

Andy

*********************

The MacOS identity agent would offer an alternative to AD Query, since the domain controller is not providing the proper events we need to do AD Query for the MacOS hosts. The agent would authenticate with the gateway, which would in turn authenticate against the AD. This should allow the gateway to enforce user-based identities for MacOS clients.

The captive portal may also be another option should they not wish to install the Identity Agent on the MacOS hosts but, unlike the Agent, has difficulty distinguishing between multiple users behind the same IP address.

******************************

Hi experts,

Sorry for replying to this older thread, but I’m really in need of some ideas to help resolve an ongoing issue.

The customer is running an R81.20 VSX environment. There are 5 VS instances with Identity Awareness (IC) enabled, and each VS is associated with two IDC Servers for redundancy. Each IDC Server, in turn, is connected to more than 40 Domain Controllers.

On the Security Gateway, running pep show pdp all shows that the number of users exceeds 40,000.

The customer relies heavily on Access Roles to control Internet access, so the stability of Identity Awareness is critical. However, they frequently report that during morning peak hours, a small number of users—who should already be authorized by Access Roles—are unable to access the Internet.

When checking the logs, we found that for the affected users, there is often a delay of more than 30 minutes between the time their PCs connect to the network after booting and the time their Identity login is successfully completed.

Over the past two years, we have opened countless support cases, but we still cannot guarantee stable behavior.
Are there any other approaches or best practices that could help improve this situation?

We worked with same amount of IA sessions as well, up to 50k simultaneous sessions. Reading your post there are several points coming into my mind. For exampe if ALL collected sessions are relevant for your use case internet access or do you see any options to filter out sessions. Reduced amount of sessions will reduce amount of load on the PEP. I speak from painful experience.

In addition it would be helpful if you could share details of your IA configuration to better understand what is going on. 

First idea:

We only do IDC with an ISE and not with AD controllers, but we have experience with many sessions.
I would therefore recommend reducing the load on the PEPS, i.e. the VSX firewalls, when there are so many sessions.
I would therefore not connect the IDC directly to the PEP, but would set up an upstream PDP instance. The IDCs are then connected to these PDP devices. The sessions are then passed on to the VS via identity sharing. This should take a lot of load off the VS.

Worth noting that in the R82.10 release, we've made several improvements to resilience and scalability in Identity Awareness.

who makes the Query in case of the Identity Agent setup ? The ID agent ? Does the gateway need to connect the AD after that ?  

The gateway (the PDP specifically) makes the LDAP query based on the configured LDAP Account Unit(s).