This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Harald_Hansen
Advisor
Advisor
‎2021-11-19 04:06 AM

Improve Identity Awareness Wizard

The wizard that appears when enabling the IA-blade on a cluster/gateway object does not represent the best practices for IA. In fact, the default choice is also the worst selection possible, as it fools customer into using the AD Query option. 

I suggest to either remove the wizard entirely and replace it with something that moves the customer to use Identity Awareness Collector and the normal Identity Agent, these are the first anyone should configure.

Also I'd rather have the option to not have it pop up permanently. 

Suggestion:

A replacement could for instance trigger if there is no Active Directory Account Unit configured; then guide the customer to configure that and enable IAC.

 

Labels
9 Replies
the_rock
MVP Platinum
MVP Platinum
‎2021-11-19 04:39 AM

I see your point, but I believe its been that way for a very long time. Idea, in my personal opinion is, that when you are going through it, set up connection with AD server, as without it, its really pointless even having IA blade enabled in the first place. The way I look at it is this...with identity awareness enabled, everything follows the user, NOT the IP address.

Best,
Andy
0 Kudos
Harald_Hansen
Advisor
Advisor
‎2021-11-19 04:43 AM
In response to the_rock

I don't buy "it has been that way for a very long time" as an argument. 

Recently I had to unteach a couple colleagues the bad habit of enabling AD Query, just because CP selects it as default. If something is wrong it should be fixed, even if it takes 10 years to do it.

the_rock
MVP Platinum
MVP Platinum
‎2021-11-19 04:54 AM
In response to Harald_Hansen

Its not supposed to be an argument, Im just stating the fact :-). Personally, I really believe its totally fine how it is, but thats just my opinion. I will let people from Check Point give a feedback.

Best,
Andy
0 Kudos
Vincent_Bacher
Advisor
Advisor
‎2021-11-19 11:22 PM

There is no best or worst selection here because it always depends on customers environment. 

In fact on one environment ad query is a bad decision but on a different it's a good choice. 

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
G_W_Albrecht
MVP Silver
MVP Silver
‎2021-11-20 02:44 PM
In response to Vincent_Bacher

I second that. In a small company using AD, AD Query is a simple solution that works fine. Bigger companies will use IA Agent or Collector.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
the_rock
MVP Platinum
MVP Platinum
‎2021-11-20 05:23 PM
In response to G_W_Albrecht

Yes, thats a good point!

Best,
Andy
0 Kudos
Harald_Hansen
Advisor
Advisor
‎2021-11-22 02:50 AM
In response to G_W_Albrecht

I disagree with you both, first and foremost because AD Query is disregarding the principle of least privilege. If it was the only option, as it used to be, I wouldn't start this post, though better alternatives exists.

In my opinion Check Point should train both seasoned and new customers to use the more secure options. 

AD Query is also unstable and causes lots of support tickets, why is having the least effective, secure and the most problematic, from a security point of view, option as a default desirable?

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2021-11-29 11:00 PM
In response to Harald_Hansen

In addition to that, it can happen that at some day, AD query wont work anymore. Microsoft released the fix which broke the AD query from Check Point and Check Point is not willing to solve it on a short notice.

That might be the indication that AD query is not going to be supported and the customers should switch to IA collector.

More info here:

https://community.checkpoint.com/t5/General-Topics/AD-query-failed-with-Microsoft-Windows-Server-202...

Kind regards,
Jozko Mrkvicka
0 Kudos
harshbhati
Explorer
‎2021-11-29 01:33 PM
In response to G_W_Albrecht

agreed it good for small customer but check point is being used mainly in large enterprises . In my view enterprise should be preference . i did not see a large customer using AD query  

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events