Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Harald_Hansen
Collaborator

Improve Identity Awareness Wizard

The wizard that appears when enabling the IA-blade on a cluster/gateway object does not represent the best practices for IA. In fact, the default choice is also the worst selection possible, as it fools customer into using the AD Query option. 

I suggest to either remove the wizard entirely and replace it with something that moves the customer to use Identity Awareness Collector and the normal Identity Agent, these are the first anyone should configure.

Also I'd rather have the option to not have it pop up permanently. 

Suggestion:

A replacement could for instance trigger if there is no Active Directory Account Unit configured; then guide the customer to configure that and enable IAC.

 

9 Replies
the_rock
Authority
Authority

I see your point, but I believe its been that way for a very long time. Idea, in my personal opinion is, that when you are going through it, set up connection with AD server, as without it, its really pointless even having IA blade enabled in the first place. The way I look at it is this...with identity awareness enabled, everything follows the user, NOT the IP address.

0 Kudos
Harald_Hansen
Collaborator

I don't buy "it has been that way for a very long time" as an argument. 

Recently I had to unteach a couple colleagues the bad habit of enabling AD Query, just because CP selects it as default. If something is wrong it should be fixed, even if it takes 10 years to do it.

the_rock
Authority
Authority

Its not supposed to be an argument, Im just stating the fact :-). Personally, I really believe its totally fine how it is, but thats just my opinion. I will let people from Check Point give a feedback.

0 Kudos
Vincent_Bacher
Advisor

There is no best or worst selection here because it always depends on customers environment. 

In fact on one environment ad query is a bad decision but on a different it's a good choice. 

and now to something completely different
G_W_Albrecht
Legend
Legend

I second that. In a small company using AD, AD Query is a simple solution that works fine. Bigger companies will use IA Agent or Collector.

CCSE CCTE SMB Specialist
the_rock
Authority
Authority

Yes, thats a good point!

0 Kudos
Harald_Hansen
Collaborator

I disagree with you both, first and foremost because AD Query is disregarding the principle of least privilege. If it was the only option, as it used to be, I wouldn't start this post, though better alternatives exists.

In my opinion Check Point should train both seasoned and new customers to use the more secure options. 

AD Query is also unstable and causes lots of support tickets, why is having the least effective, secure and the most problematic, from a security point of view, option as a default desirable?

0 Kudos
JozkoMrkvicka
Leader
Leader

In addition to that, it can happen that at some day, AD query wont work anymore. Microsoft released the fix which broke the AD query from Check Point and Check Point is not willing to solve it on a short notice.

That might be the indication that AD query is not going to be supported and the customers should switch to IA collector.

More info here:

https://community.checkpoint.com/t5/General-Topics/AD-query-failed-with-Microsoft-Windows-Server-202...

Kind regards,
Jozko Mrkvicka
0 Kudos
harshbhati
Explorer

agreed it good for small customer but check point is being used mainly in large enterprises . In my view enterprise should be preference . i did not see a large customer using AD query  

0 Kudos