Re: Identity Collector Setup

Jonathan_Langle · ‎2018-12-06

I am trying to experiement with the Identity Collector for IA. I have Identity Collector installed on Windows Server with our DCs and it has made a success SIC connection to one of our Gateways WIth Browser-Based Auth and Identity Collector Selected for its Sources. whenever I go to create an Access Role for my test user, I do not see my Identity Collector as a source under Specific users/Groups area, only the LDAP Account units from our AD Query set up. Am I missing something or doing something wrong here?

PhoneBoy · ‎2018-12-07

That's expected behavior.

Identity Collector is used to acquire users from Active Directory to the Security Gateways.

The groups those users are associated with are queried via LDAP.

Access Roles are also defined in terms of LDAP groups.

Jonathan_Langle · ‎2018-12-10

So how would i create a security rule to allow access to a specific site to a use with identity collector? I guess that is where I am lost.

Ole_Jakobsen · ‎2019-01-17

I have the same exact problem.

My collector collects events and logins from AD. I have gateways setup with Identity Collector access and they are connected.

In my GUI for Identity Collector, I can check that it looks logins in the "Logins Monitor" pane, and I see that it is connected and sends event to gateways in the "Gateways" panel.

My configuration is done according to the instructions "CP_R80.20_IdentityAwareness_AdminGuide.pdf".

But at the gate I can't see the identities when I try to create a new access role.

Also, in the logs in the gateway I see only "Error log" and "User Logout" events.

What am I missing? Where will the identity be created in the identity?

I hope someone can help clarify this I can't finde any sk that does that.

Cheers

Ole

PhoneBoy · ‎2019-01-18

Access Roles are defined in terms of LDAP Groups, not individual users.

The only pace you will see individual users is in the logs.

If you're not seeing any LDAP Groups when you create an Access Role, it suggests you have either not configured LDAP Account Units or there is a misconfiguration.

Ole_Jakobsen · ‎2019-01-28

So just to clarify, for myself, Identity Collector is used populate LDAP groups retrieved from LDAP/AD via Account Units. Correct?

Timothy_Hall · ‎2019-01-28

No, the IC parses the domain security log entries and forms mappings for LAN IP addresses to a username, and sends that information to the gateway who places it into its IA cache. Upon receipt of the new mapping, the gateway itself directly queries AD to retrieve the mapped user's group memberships and keeps them up to date. If you want to look directly in the gateways IA cache for troubleshooting purposes, please see my response in this thread:

https://community.checkpoint.com/message/38332-re-app-control-ignoring-a-rule?commentID=38332#commen...

--

CheckMates Break Out Sessions Speaker

CPX 2019 Las Vegas & Vienna - Tuesday@13:30

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com

Ole_Jakobsen · ‎2019-02-07

Thanks for your answer Timothy. That clarifies some things for me

Is it the same thing with IC and Cisco ISE?

If IC retrieves User/IP mapping from Cisco ISE and sends them to the GW to be stored in the IA cache. Do the GW then query ISE for "SGT" membership or is the membership included in the information from ISE and the populated to the "Identity Tag" that is manually created according to Identity Awareness Admin Guide as CSGT-<SGT_NAME>?

PhoneBoy · ‎2019-02-08

It still works the same way, more or less:

Identity comes from Cisco ISE in the form of name, machine, and IP
Groups come from LDAP

With Cisco ISE, there is an additional mechanism that leverages the CSGT-<Name> tags via the

CloudGuard Controller: CloudGuard Controller R80.20 Administration Guide

You can create rules based on these tags once they are defined.