Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sorin_Gogean
Explorer

Identity Awareness - Identity Collector monitoring

Jump to solution

Hello everyone,

We're about to start using Identity Awareness with Identity Collectors (redundant and everything else), and one problem we're were noticing is that we did not see any ways to monitor Identity Collector .

Like the connection to AD servers, or connection to ISE servers  or even GW's .

 

Are you aware of any ways to achieve this ? or are there any MIB's for GW's through where we can get IA status and eventual errors ?

 

Thank you,

 

PS: there is another topic IA Monitoring that we will try in a similar way, but still

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

The identity collector itself? I don't think so.
That said if you're not seeing identities flow on the gateway, that would be a sign of an issue.
This SK suggests a possible MIB to query: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

View solution in original post

0 Kudos
(1)
5 Replies
PhoneBoy
Admin
Admin

The identity collector itself? I don't think so.
That said if you're not seeing identities flow on the gateway, that would be a sign of an issue.
This SK suggests a possible MIB to query: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

View solution in original post

0 Kudos
(1)
Sorin_Gogean
Explorer

Morning,

Currently we don't have any issues with the identity flow to the GW, but we are looking into a way to monitor this.

We are testing for now the SNMP monitoring of IA/IC through the GW, and that provides us with details on the sources connected to the IC (DC or pxGrid/ISE) . So we should be able to alert and take actions in case somethings shows up. 

 

Thank you,

(As example from similar SNMP implementation)

Untitled.png

0 Kudos
PhoneBoy
Admin
Admin

There doesn't seem to be an obvious way to monitor this directly.
That said, you should see an active TCP connection on the gateway from the Identity Collector.
Maybe we need additional instrumentation here? 
@Royi_Priov 

0 Kudos
Royi_Priov
Employee
Employee

Hi @Sorin_Gogean ,

There are monitoring capabilities to IDC.

Please check sk108235, under "Monitoring capability" section - as @PhoneBoy wrote above.

The SNMP OIDs are mentioned in $FWDIR/conf/identity_server.cps

I suggest first to see the feature is working as needed with "pdp idc status" command.

 

As for direct monitoring mechanism, there isn't. However, since IDC worth nothing without the PDP gateway getting the info from IDC, I personally don't think we need to add something to IDC itself.

Thanks,
Royi Priov
Group manager, Identity Awareness R&D
0 Kudos
Sorin_Gogean
Explorer

Morning everyone,

 

Like Royi said, we are monitoring via SNMP from the PDP (our GW) that shows the sources detail received from IDC (sorry for the confusion) .

We're getting all the information from the table OID  .1.3.6.1.4.1.2620.1.38.53.... with all it's members  ("Identity Collector Sources") .

That covers our current needs .

 

Thank you and have a nice week,

 

0 Kudos