This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Jonathan_Langle
Participant
‎2018-12-06 02:04 PM

Identity Collector Setup

I am trying to experiement with the Identity Collector for IA. I have Identity Collector installed on Windows Server with our DCs and it has made a success SIC connection to one of our Gateways WIth Browser-Based Auth and Identity Collector Selected for its Sources. whenever I go to create an Access Role for my test user, I do not see my Identity Collector as a source under Specific users/Groups area, only the LDAP Account units from our AD Query set up. Am I missing something or doing something wrong here?

Reply
8 Replies
PhoneBoy
Admin
Admin
‎2018-12-07 01:04 PM

That's expected behavior.

Identity Collector is used to acquire users from Active Directory to the Security Gateways.

The groups those users are associated with are queried via LDAP.

Access Roles are also defined in terms of LDAP groups. 

Reply
Jonathan_Langle
Participant
‎2018-12-10 06:17 AM
In response to PhoneBoy

So how would i create a security rule to allow access to a specific site to a use with identity collector? I guess that is where I am lost.

0 Kudos
Reply
Ole_Jakobsen
Contributor
‎2019-01-17 11:54 PM
In response to Jonathan_Langle

I have the same exact problem.

 

My collector collects events and logins from AD. I have gateways setup with Identity Collector access and they are connected.

 

In my GUI for Identity Collector, I can check that it looks logins in the "Logins Monitor" pane, and I see that it is connected and sends event to gateways in the "Gateways" panel.

My configuration is done according to the instructions "CP_R80.20_IdentityAwareness_AdminGuide.pdf".

But at the gate I can't see the identities when I try to create a new access role.

Also, in the logs in the gateway I see only "Error log" and "User Logout" events.

What am I missing? Where will the identity be created in the identity?

I hope someone can help clarify this Smiley Happy I can't finde any sk that does that.

Cheers

Ole

0 Kudos
Reply
PhoneBoy
Admin
Admin
‎2019-01-18 06:48 AM
In response to Ole_Jakobsen

Access Roles are defined in terms of LDAP Groups, not individual users.

The only pace you will see individual users is in the logs.

If you're not seeing any LDAP Groups when you create an Access Role, it suggests you have either not configured LDAP Account Units or there is a misconfiguration.

Reply
Ole_Jakobsen
Contributor
‎2019-01-28 12:06 AM
In response to PhoneBoy

So just to clarify, for myself, Identity Collector is used populate LDAP groups retrieved from LDAP/AD via Account Units. Correct?

0 Kudos
Reply
Timothy_Hall
Champion
Champion
‎2019-01-28 05:01 AM
In response to Ole_Jakobsen

No, the IC parses the domain security log entries and forms mappings for LAN IP addresses to a username, and sends that information to the gateway who places it into its IA cache.  Upon receipt of the new mapping, the gateway itself directly queries AD to retrieve the mapped user's group memberships and keeps them up to date.  If you want to look directly in the gateways IA cache for troubleshooting purposes, please see my response in this thread:

https://community.checkpoint.com/message/38332-re-app-control-ignoring-a-rule?commentID=38332#commen... 

--

CheckMates Break Out Sessions Speaker

CPX 2019 Las Vegas & Vienna - Tuesday@13:30

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com
Reply
Ole_Jakobsen
Contributor
‎2019-02-07 03:31 AM
In response to Timothy_Hall

Thanks for your answer Timothy. That clarifies some things for me Smiley Happy

Is it the same thing with IC and Cisco ISE?

 

If IC retrieves User/IP mapping from Cisco ISE and sends them to the GW to be stored in the IA cache. Do the GW then query ISE for "SGT" membership or is the membership included in the information from ISE and the populated to the "Identity Tag" that is manually created according to Identity Awareness Admin Guide as CSGT-<SGT_NAME>?

Reply
PhoneBoy
Admin
Admin
‎2019-02-08 02:08 PM
In response to Ole_Jakobsen

It still works the same way, more or less:

  • Identity comes from Cisco ISE in the form of name, machine, and IP
  • Groups come from LDAP

With Cisco ISE, there is an additional mechanism that leverages the CSGT-<Name> tags via the 

CloudGuard Controller: CloudGuard Controller R80.20 Administration Guide 

You can create rules based on these tags once they are defined.

0 Kudos
Reply