In the wizard there is a part where you configure what AD you query and it uses the account unit. Yet when I want to see where the account unit is used I see nothing. In the other deployment when you view where it's used you can see it used in the identity aware fw

You created already LDAP account unit? If so, can you fetch the branches?

Best,

Andy

No I can't but still the account unit should be associated with the gateway isn't it? And moreover let's say I want to get identities from multiple ADs how can I associate more than one if I can only add via the identity awareness wizard?

Essentially I try to find an easy way to associate ldap account unit to a gateway. I wanted to start from the easiest part and than try more harder scenarios.

But thanks you helped me understand some things

Yes, 100% is HAS TO BE associated with the gateway. Put it this way...identity collector changes how the gateway will "get" the users, so its via the logs instead of WMI, BUT, it still has to pull the groups via LDAP account unit, regardless if you use IC or not.

Makes sense?

Best,

Andy

It does make sense and now I understand more but I'm still confused about why I can't see the ldap account unit associated with the gateway and now that I know it is supposed to be associated via the identity awareness wizard I don't understand how to associate multiple ldap account unit with the same gateway?

I would believe that it's more simple than I imagine but currently I can't find how to do it.

Relevant FW object -> Identity Awareness -> Identity Collector Settings -> Settings -> Specific (in here you can select what account unit this firewall can read).
Default is all, so ALL configured account units.

Ok, lets take step back. Please confirm.

1) Is LDAP account unit created?

2) If so, do you have all servers configured needed?

and 

3) If yes to both 1 and 2, can you fetch the branches?

Best,

Andy

Yes to 1 and 2 no on the 3 maybe because I missed something in the server configuration or networking problems I'm gonna fix later. Is that the problem? shouldn't the ldap account unit be associated with the gateway anyway wether it works or not? When I say associate I mean that if I see where it's used

Well, if thats the case, it will never work sadly. Can you communicate with the server from the fw itself? Did you make sure rule allows it? See, if unit is there, thats fantastic, BUT, if the communication is failing, then its not very useful. The only time fetching the branches would not work is if you use S1C instance, because thats expected, otherwise, if its on-prem, it has to work, for sure. Can you ping the fw from the AD at all?

Best,

Andy

No currently I have networking problems so I wanted to start by first configure everything on the gateway side and than tackling the problems. I understand from you that it's impossible to do it that way so I will work to fix these issues and see if things are improving

Thanks a lot for your help!

No problem at all. By the way, as a side note, I would NOT use ad query, opt out for AD instead. See great discussion in below post.

Best,

Andy

https://community.checkpoint.com/t5/Security-Gateways/New-IA-Implementation/m-p/185851#M34184

Thanks for the reference!

I read it a bit and I have a question out of curiosity. Let's say I want to implement identity awareness by using an Identity collector. Am I required to create ldap account unit? From what you cited seems like it's not a necessity but in some documentations it's seems like it is for reading logs. I'm trying to understand how to properly implement IA according to the best practice

ldap account unit has to be there...thats how groups are pulled. You can uncheck ad query setting and simply have ic on.

I will send you screenshot later.

Andy

Ok thanks!

Btw, when you enable IA blade, you dont even need to go through wizard, just enable the blade, cancel the screen and then save, go back and simply enable IC option, configure settings there, save, install policy, test.

Andy

Really? Than how I associate the ldap account unit object with the gateway?

Wow I didn't know that! Really thanks a lot for all of your time it helped me a lot!

Hey, all good, we learn things every day! I did not know up until last year that Sun's radius is 110 times bigger than Earth's and now I know 🙂

Life is all about learning my friend, never a shame not knowing things, we learn, thats it.

Best,

Andy

Also, as I stated before, MAKE SURE communication is there between AD server and firewall, thats the first step.

If you need help or have more questions, you can message me directly.

Andy

I will and once more really thank you for all your time and effort

Fyfoc=for you free of charge 😉

I see what Unon is talking about.  When you click on where used on the LDAP unit firewall object it shows it is being used in specific gateway objects.   But where???  So, when you bring up a new gateway,  how do you add a new gateway?  IOW, how do you associate that NEW gateway.  There must be a list somewhere.

Apparently it isn't required to make it work with the gateway. Yet I don't know the meaning of it and if someone knows feel free to share 🙂