Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Unon
Participant
Jump to solution

LDAP Account Unit

Hi,

Recently I started messing around with identity awareness with Identity Collector.

I've seen in the admin guide that ldap account unit is required, but when I created an object for it I didn't find how to associate it with the gateway. On other deployment done before me I can see the ldap account unit used within the gateway and that's what I'm trying to understand. Can you please help?

0 Kudos
1 Solution

Accepted Solutions
the_rock
Legend
Legend

NO : - ). That is not how you associate it. You need to have ldap acccount unit there, thats it. AD query does NOT need to be enabled in the wizard. We have many customers who have ldap account unit and dont even have IA blade enabled, its fine. Only downside is that without ia blade on, you cannot use access roles, which is helpful. Otherwise, logs will have usernames contained in them, it works fine even without ia blade enabled.

Best,

Andy

View solution in original post

0 Kudos
24 Replies
Lesley
Leader Leader
Leader

Is this not in the wizard when you enable Identity blade under the gateway object?

From my mind you have to connect with ad there correct? 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Unon
Participant

In the wizard there is a part where you configure what AD you query and it uses the account unit. Yet when I want to see where the account unit is used I see nothing. In the other deployment when you view where it's used you can see it used in the identity aware fw

0 Kudos
the_rock
Legend
Legend

You created already LDAP account unit? If so, can you fetch the branches?

Best,

Andy

0 Kudos
Unon
Participant

No I can't but still the account unit should be associated with the gateway isn't it? And moreover let's say I want to get identities from multiple ADs how can I associate more than one if I can only add via the identity awareness wizard?

Essentially I try to find an easy way to associate ldap account unit to a gateway. I wanted to start from the easiest part and than try more harder scenarios.

But thanks you helped me understand some things

0 Kudos
the_rock
Legend
Legend

Yes, 100% is HAS TO BE associated with the gateway. Put it this way...identity collector changes how the gateway will "get" the users, so its via the logs instead of WMI, BUT, it still has to pull the groups via LDAP account unit, regardless if you use IC or not.

Makes sense?

Best,

Andy

0 Kudos
Unon
Participant

It does make sense and now I understand more but I'm still confused about why I can't see the ldap account unit associated with the gateway and now that I know it is supposed to be associated via the identity awareness wizard I don't understand how to associate multiple ldap account unit with the same gateway?

I would believe that it's more simple than I imagine but currently I can't find how to do it.

0 Kudos
Lesley
Leader Leader
Leader

Relevant FW object -> Identity Awareness -> Identity Collector Settings -> Settings -> Specific (in here you can select what account unit this firewall can read).
Default is all, so ALL configured account units.

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
the_rock
Legend
Legend

Ok, lets take step back. Please confirm.

1) Is LDAP account unit created?

2) If so, do you have all servers configured needed?

and 

3) If yes to both 1 and 2, can you fetch the branches?

Best,

Andy

0 Kudos
Unon
Participant

Yes to 1 and 2 no on the 3 maybe because I missed something in the server configuration or networking problems I'm gonna fix later. Is that the problem? shouldn't the ldap account unit be associated with the gateway anyway wether it works or not? When I say associate I mean that if I see where it's used

0 Kudos
the_rock
Legend
Legend

Well, if thats the case, it will never work sadly. Can you communicate with the server from the fw itself? Did you make sure rule allows it? See, if unit is there, thats fantastic, BUT, if the communication is failing, then its not very useful. The only time fetching the branches would not work is if you use S1C instance, because thats expected, otherwise, if its on-prem, it has to work, for sure. Can you ping the fw from the AD at all?

Best,

Andy

0 Kudos
Unon
Participant

No currently I have networking problems so I wanted to start by first configure everything on the gateway side and than tackling the problems. I understand from you that it's impossible to do it that way so I will work to fix these issues and see if things are improving

Thanks a lot for your help!

0 Kudos
the_rock
Legend
Legend

No problem at all. By the way, as a side note, I would NOT use ad query, opt out for AD instead. See great discussion in below post.

Best,

Andy

 

https://community.checkpoint.com/t5/Security-Gateways/New-IA-Implementation/m-p/185851#M34184

0 Kudos
Unon
Participant

Thanks for the reference!

I read it a bit and I have a question out of curiosity. Let's say I want to implement identity awareness by using an Identity collector. Am I required to create ldap account unit? From what you cited seems like it's not a necessity but in some documentations it's seems like it is for reading logs. I'm trying to understand how to properly implement IA according to the best practice

0 Kudos
the_rock
Legend
Legend

ldap account unit has to be there...thats how groups are pulled. You can uncheck ad query setting and simply have ic on.

I will send you screenshot later.

Andy

0 Kudos
Unon
Participant

Ok thanks!

0 Kudos
the_rock
Legend
Legend

Btw, when you enable IA blade, you dont even need to go through wizard, just enable the blade, cancel the screen and then save, go back and simply enable IC option, configure settings there, save, install policy, test.

Andy

0 Kudos
Unon
Participant

Really? Than how I associate the ldap account unit object with the gateway?

0 Kudos
the_rock
Legend
Legend

NO : - ). That is not how you associate it. You need to have ldap acccount unit there, thats it. AD query does NOT need to be enabled in the wizard. We have many customers who have ldap account unit and dont even have IA blade enabled, its fine. Only downside is that without ia blade on, you cannot use access roles, which is helpful. Otherwise, logs will have usernames contained in them, it works fine even without ia blade enabled.

Best,

Andy

0 Kudos
Unon
Participant

Wow I didn't know that! Really thanks a lot for all of your time it helped me a lot!

0 Kudos
the_rock
Legend
Legend

Hey, all good, we learn things every day! I did not know up until last year that Sun's radius is 110 times bigger than Earth's and now I know 🙂

Life is all about learning my friend, never a shame not knowing things, we learn, thats it.

Best,

Andy

the_rock
Legend
Legend

Also, as I stated before, MAKE SURE communication is there between AD server and firewall, thats the first step.

If you need help or have more questions, you can message me directly.

Andy

0 Kudos
Unon
Participant

I will and once more really thank you for all your time and effort

the_rock
Legend
Legend

Fyfoc=for you free of charge 😉

0 Kudos
the_rock
Legend
Legend

Screenshot_1.png

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events