- Products
- Learn
- Local User Groups
- Partners
- More
Access Control and Threat Prevention Best Practices
5 November @ 5pm CET / 11am ET
Ask Check Point Threat Intelligence Anything!
October 28th, 9am ET / 3pm CET
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
Spark Management Portal and More!
Hi,
Recently I started messing around with identity awareness with Identity Collector.
I've seen in the admin guide that ldap account unit is required, but when I created an object for it I didn't find how to associate it with the gateway. On other deployment done before me I can see the ldap account unit used within the gateway and that's what I'm trying to understand. Can you please help?
NO : - ). That is not how you associate it. You need to have ldap acccount unit there, thats it. AD query does NOT need to be enabled in the wizard. We have many customers who have ldap account unit and dont even have IA blade enabled, its fine. Only downside is that without ia blade on, you cannot use access roles, which is helpful. Otherwise, logs will have usernames contained in them, it works fine even without ia blade enabled.
Best,
Andy
Is this not in the wizard when you enable Identity blade under the gateway object?
From my mind you have to connect with ad there correct?
In the wizard there is a part where you configure what AD you query and it uses the account unit. Yet when I want to see where the account unit is used I see nothing. In the other deployment when you view where it's used you can see it used in the identity aware fw
You created already LDAP account unit? If so, can you fetch the branches?
Best,
Andy
No I can't but still the account unit should be associated with the gateway isn't it? And moreover let's say I want to get identities from multiple ADs how can I associate more than one if I can only add via the identity awareness wizard?
Essentially I try to find an easy way to associate ldap account unit to a gateway. I wanted to start from the easiest part and than try more harder scenarios.
But thanks you helped me understand some things
Yes, 100% is HAS TO BE associated with the gateway. Put it this way...identity collector changes how the gateway will "get" the users, so its via the logs instead of WMI, BUT, it still has to pull the groups via LDAP account unit, regardless if you use IC or not.
Makes sense?
Best,
Andy
It does make sense and now I understand more but I'm still confused about why I can't see the ldap account unit associated with the gateway and now that I know it is supposed to be associated via the identity awareness wizard I don't understand how to associate multiple ldap account unit with the same gateway?
I would believe that it's more simple than I imagine but currently I can't find how to do it.
Relevant FW object -> Identity Awareness -> Identity Collector Settings -> Settings -> Specific (in here you can select what account unit this firewall can read).
Default is all, so ALL configured account units.
Ok, lets take step back. Please confirm.
1) Is LDAP account unit created?
2) If so, do you have all servers configured needed?
and
3) If yes to both 1 and 2, can you fetch the branches?
Best,
Andy
Yes to 1 and 2 no on the 3 maybe because I missed something in the server configuration or networking problems I'm gonna fix later. Is that the problem? shouldn't the ldap account unit be associated with the gateway anyway wether it works or not? When I say associate I mean that if I see where it's used
Well, if thats the case, it will never work sadly. Can you communicate with the server from the fw itself? Did you make sure rule allows it? See, if unit is there, thats fantastic, BUT, if the communication is failing, then its not very useful. The only time fetching the branches would not work is if you use S1C instance, because thats expected, otherwise, if its on-prem, it has to work, for sure. Can you ping the fw from the AD at all?
Best,
Andy
No currently I have networking problems so I wanted to start by first configure everything on the gateway side and than tackling the problems. I understand from you that it's impossible to do it that way so I will work to fix these issues and see if things are improving
Thanks a lot for your help!
No problem at all. By the way, as a side note, I would NOT use ad query, opt out for AD instead. See great discussion in below post.
Best,
Andy
https://community.checkpoint.com/t5/Security-Gateways/New-IA-Implementation/m-p/185851#M34184
Thanks for the reference!
I read it a bit and I have a question out of curiosity. Let's say I want to implement identity awareness by using an Identity collector. Am I required to create ldap account unit? From what you cited seems like it's not a necessity but in some documentations it's seems like it is for reading logs. I'm trying to understand how to properly implement IA according to the best practice
ldap account unit has to be there...thats how groups are pulled. You can uncheck ad query setting and simply have ic on.
I will send you screenshot later.
Andy
Ok thanks!
Btw, when you enable IA blade, you dont even need to go through wizard, just enable the blade, cancel the screen and then save, go back and simply enable IC option, configure settings there, save, install policy, test.
Andy
Really? Than how I associate the ldap account unit object with the gateway?
NO : - ). That is not how you associate it. You need to have ldap acccount unit there, thats it. AD query does NOT need to be enabled in the wizard. We have many customers who have ldap account unit and dont even have IA blade enabled, its fine. Only downside is that without ia blade on, you cannot use access roles, which is helpful. Otherwise, logs will have usernames contained in them, it works fine even without ia blade enabled.
Best,
Andy
Wow I didn't know that! Really thanks a lot for all of your time it helped me a lot!
Hey, all good, we learn things every day! I did not know up until last year that Sun's radius is 110 times bigger than Earth's and now I know 🙂
Life is all about learning my friend, never a shame not knowing things, we learn, thats it.
Best,
Andy
Also, as I stated before, MAKE SURE communication is there between AD server and firewall, thats the first step.
If you need help or have more questions, you can message me directly.
Andy
I will and once more really thank you for all your time and effort
Fyfoc=for you free of charge 😉
I see what Unon is talking about. When you click on where used on the LDAP unit firewall object it shows it is being used in specific gateway objects. But where??? So, when you bring up a new gateway, how do you add a new gateway? IOW, how do you associate that NEW gateway. There must be a list somewhere.
Apparently it isn't required to make it work with the gateway. Yet I don't know the meaning of it and if someone knows feel free to share 🙂
 
					
				
				
			
		
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count | 
|---|---|
| 22 | |
| 16 | |
| 7 | |
| 6 | |
| 4 | |
| 4 | |
| 3 | |
| 3 | |
| 2 | |
| 2 | 
Tue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionTue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionThu 30 Oct 2025 @ 03:00 PM (CET)
Cloud Security Under Siege: Critical Insights from the 2025 Security Landscape - EMEAThu 30 Oct 2025 @ 11:00 AM (EDT)
Tips and Tricks 2025 #15: Become a Threat Exposure Management Power User!About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY