Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sorin_Gogean
Advisor
Jump to solution

Identity Awareness - Identity Collector monitoring

Hello everyone,

We're about to start using Identity Awareness with Identity Collectors (redundant and everything else), and one problem we're were noticing is that we did not see any ways to monitor Identity Collector .

Like the connection to AD servers, or connection to ISE servers  or even GW's .

 

Are you aware of any ways to achieve this ? or are there any MIB's for GW's through where we can get IA status and eventual errors ?

 

Thank you,

 

PS: there is another topic IA Monitoring that we will try in a similar way, but still

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

The identity collector itself? I don't think so.
That said if you're not seeing identities flow on the gateway, that would be a sign of an issue.
This SK suggests a possible MIB to query: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

View solution in original post

(1)
9 Replies
PhoneBoy
Admin
Admin

The identity collector itself? I don't think so.
That said if you're not seeing identities flow on the gateway, that would be a sign of an issue.
This SK suggests a possible MIB to query: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

(1)
Sorin_Gogean
Advisor

Morning,

Currently we don't have any issues with the identity flow to the GW, but we are looking into a way to monitor this.

We are testing for now the SNMP monitoring of IA/IC through the GW, and that provides us with details on the sources connected to the IC (DC or pxGrid/ISE) . So we should be able to alert and take actions in case somethings shows up. 

 

Thank you,

(As example from similar SNMP implementation)

Untitled.png

PhoneBoy
Admin
Admin

There doesn't seem to be an obvious way to monitor this directly.
That said, you should see an active TCP connection on the gateway from the Identity Collector.
Maybe we need additional instrumentation here? 
@Royi_Priov 

0 Kudos
Royi_Priov
Employee
Employee

Hi @Sorin_Gogean ,

There are monitoring capabilities to IDC.

Please check sk108235, under "Monitoring capability" section - as @PhoneBoy wrote above.

The SNMP OIDs are mentioned in $FWDIR/conf/identity_server.cps

I suggest first to see the feature is working as needed with "pdp idc status" command.

 

As for direct monitoring mechanism, there isn't. However, since IDC worth nothing without the PDP gateway getting the info from IDC, I personally don't think we need to add something to IDC itself.

Thanks,
Royi Priov
Group manager, Identity Awareness R&D
Sorin_Gogean
Advisor

Morning everyone,

 

Like Royi said, we are monitoring via SNMP from the PDP (our GW) that shows the sources detail received from IDC (sorry for the confusion) .

We're getting all the information from the table OID  .1.3.6.1.4.1.2620.1.38.53.... with all it's members  ("Identity Collector Sources") .

That covers our current needs .

 

Thank you and have a nice week,

 

Tiago_Cerqueira
Contributor

Hi,

 

I'm also looking into this OID for monitoring, but I would like to monitor the total number of events sent from the IDC to the firewall. It seems like under the snmp branch  .1.3.6.1.4.1.2620.1.38 you can only monitor the connection between the IDC and the ADs (in our case), not the number of events being sent over from the IDC to the firewall itself, much like what you see on the "events in last hour" column ("Gateways" tab), on the IDC GUI.

 

Does anyone have any idea on how to monitor these? Thanks!

Tiago_Cerqueira
Contributor

I found a way to do this without SNMP, by using the gaia_api run-script. You can run any expert command there, that includes pdp conn idc. Then I just need to handle it on the client side

0 Kudos
hemh
Participant

Hi Sorin, I do not have any return on a snmpwalk to .1.3.6.1.4.1.2620.1.38.53, how comes?

0 Kudos
Sorin_Gogean
Advisor

hey @hemh ,

 

maybe the planets didn't align, I don't know 😁

(without knowing what you did and your environment, we can't answer)

now on a serious note, were you following the SK108235 ?

did you enabled the Registry keys on the server that is hosting the IC ?

are you seeing in the GW's the DC and/or ISE servers when you try the below commands ?

 Via cpstat CLI: cpstat identityServer -f idc
- Via pdp CLI: pdp idc status (available since R80.30)

 

do an snmpwalk on the GW starting from .1.3.6.1.4.1.2620.1.38 - you will see all the OID's under that root....

more details https://oidref.com/1.3.6.1.4.1.2620.1.38

Thank you,

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events