This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Unon
Participant
‎2024-02-25 02:28 AM
Jump to solution

LDAP Account Unit

Hi,

Recently I started messing around with identity awareness with Identity Collector.

I've seen in the admin guide that ldap account unit is required, but when I created an object for it I didn't find how to associate it with the gateway. On other deployment done before me I can see the ldap account unit used within the gateway and that's what I'm trying to understand. Can you please help?

0 Kudos
1 Solution

Accepted Solutions
the_rock
Legend
Legend
‎2024-02-26 09:24 AM
In response to Unon
Jump to solution

NO : - ). That is not how you associate it. You need to have ldap acccount unit there, thats it. AD query does NOT need to be enabled in the wizard. We have many customers who have ldap account unit and dont even have IA blade enabled, its fine. Only downside is that without ia blade on, you cannot use access roles, which is helpful. Otherwise, logs will have usernames contained in them, it works fine even without ia blade enabled.

Best,

Andy

View solution in original post

0 Kudos
24 Replies
Lesley
Advisor
‎2024-02-25 03:19 AM
Jump to solution

Is this not in the wizard when you enable Identity blade under the gateway object?

From my mind you have to connect with ad there correct? 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Unon
Participant
‎2024-02-25 04:32 AM
In response to Lesley
Jump to solution

In the wizard there is a part where you configure what AD you query and it uses the account unit. Yet when I want to see where the account unit is used I see nothing. In the other deployment when you view where it's used you can see it used in the identity aware fw

0 Kudos
the_rock
Legend
Legend
‎2024-02-25 07:29 AM
In response to Unon
Jump to solution

You created already LDAP account unit? If so, can you fetch the branches?

Best,

Andy

0 Kudos
Unon
Participant
‎2024-02-25 10:53 AM
In response to the_rock
Jump to solution

No I can't but still the account unit should be associated with the gateway isn't it? And moreover let's say I want to get identities from multiple ADs how can I associate more than one if I can only add via the identity awareness wizard?

Essentially I try to find an easy way to associate ldap account unit to a gateway. I wanted to start from the easiest part and than try more harder scenarios.

But thanks you helped me understand some things

0 Kudos
the_rock
Legend
Legend
‎2024-02-25 04:10 PM
In response to Unon
Jump to solution

Yes, 100% is HAS TO BE associated with the gateway. Put it this way...identity collector changes how the gateway will "get" the users, so its via the logs instead of WMI, BUT, it still has to pull the groups via LDAP account unit, regardless if you use IC or not.

Makes sense?

Best,

Andy

0 Kudos
Unon
Participant
‎2024-02-26 12:46 AM
In response to the_rock
Jump to solution

It does make sense and now I understand more but I'm still confused about why I can't see the ldap account unit associated with the gateway and now that I know it is supposed to be associated via the identity awareness wizard I don't understand how to associate multiple ldap account unit with the same gateway?

I would believe that it's more simple than I imagine but currently I can't find how to do it.

0 Kudos
Lesley
Advisor
‎2024-02-26 04:10 AM
In response to Unon
Jump to solution

Relevant FW object -> Identity Awareness -> Identity Collector Settings -> Settings -> Specific (in here you can select what account unit this firewall can read).
Default is all, so ALL configured account units.

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
the_rock
Legend
Legend
‎2024-02-26 04:39 AM
In response to Unon
Jump to solution

Ok, lets take step back. Please confirm.

1) Is LDAP account unit created?

2) If so, do you have all servers configured needed?

and 

3) If yes to both 1 and 2, can you fetch the branches?

Best,

Andy

0 Kudos
Unon
Participant
‎2024-02-26 04:47 AM
In response to the_rock
Jump to solution

Yes to 1 and 2 no on the 3 maybe because I missed something in the server configuration or networking problems I'm gonna fix later. Is that the problem? shouldn't the ldap account unit be associated with the gateway anyway wether it works or not? When I say associate I mean that if I see where it's used

0 Kudos
the_rock
Legend
Legend
‎2024-02-26 04:52 AM
In response to Unon
Jump to solution

Well, if thats the case, it will never work sadly. Can you communicate with the server from the fw itself? Did you make sure rule allows it? See, if unit is there, thats fantastic, BUT, if the communication is failing, then its not very useful. The only time fetching the branches would not work is if you use S1C instance, because thats expected, otherwise, if its on-prem, it has to work, for sure. Can you ping the fw from the AD at all?

Best,

Andy

0 Kudos
Unon
Participant
‎2024-02-26 04:59 AM
In response to the_rock
Jump to solution

No currently I have networking problems so I wanted to start by first configure everything on the gateway side and than tackling the problems. I understand from you that it's impossible to do it that way so I will work to fix these issues and see if things are improving

Thanks a lot for your help!

0 Kudos
the_rock
Legend
Legend
‎2024-02-26 05:22 AM
In response to Unon
Jump to solution

No problem at all. By the way, as a side note, I would NOT use ad query, opt out for AD instead. See great discussion in below post.

Best,

Andy

 

https://community.checkpoint.com/t5/Security-Gateways/New-IA-Implementation/m-p/185851#M34184

0 Kudos
Unon
Participant
‎2024-02-26 08:37 AM
In response to the_rock
Jump to solution

Thanks for the reference!

I read it a bit and I have a question out of curiosity. Let's say I want to implement identity awareness by using an Identity collector. Am I required to create ldap account unit? From what you cited seems like it's not a necessity but in some documentations it's seems like it is for reading logs. I'm trying to understand how to properly implement IA according to the best practice

0 Kudos
the_rock
Legend
Legend
‎2024-02-26 08:42 AM
In response to Unon
Jump to solution

ldap account unit has to be there...thats how groups are pulled. You can uncheck ad query setting and simply have ic on.

I will send you screenshot later.

Andy

0 Kudos
Unon
Participant
‎2024-02-26 08:52 AM
In response to the_rock
Jump to solution

Ok thanks!

0 Kudos
the_rock
Legend
Legend
‎2024-02-26 09:09 AM
In response to Unon
Jump to solution

Btw, when you enable IA blade, you dont even need to go through wizard, just enable the blade, cancel the screen and then save, go back and simply enable IC option, configure settings there, save, install policy, test.

Andy

0 Kudos
Unon
Participant
‎2024-02-26 09:21 AM
In response to the_rock
Jump to solution

Really? Than how I associate the ldap account unit object with the gateway?

0 Kudos
the_rock
Legend
Legend
‎2024-02-26 09:24 AM
In response to Unon
Jump to solution

NO : - ). That is not how you associate it. You need to have ldap acccount unit there, thats it. AD query does NOT need to be enabled in the wizard. We have many customers who have ldap account unit and dont even have IA blade enabled, its fine. Only downside is that without ia blade on, you cannot use access roles, which is helpful. Otherwise, logs will have usernames contained in them, it works fine even without ia blade enabled.

Best,

Andy

0 Kudos
Unon
Participant
‎2024-02-26 09:27 AM
In response to the_rock
Jump to solution

Wow I didn't know that! Really thanks a lot for all of your time it helped me a lot!

0 Kudos
the_rock
Legend
Legend
‎2024-02-26 09:29 AM
In response to Unon
Jump to solution

Hey, all good, we learn things every day! I did not know up until last year that Sun's radius is 110 times bigger than Earth's and now I know 🙂

Life is all about learning my friend, never a shame not knowing things, we learn, thats it.

Best,

Andy

0 Kudos
the_rock
Legend
Legend
‎2024-02-26 09:30 AM
In response to Unon
Jump to solution

Also, as I stated before, MAKE SURE communication is there between AD server and firewall, thats the first step.

If you need help or have more questions, you can message me directly.

Andy

0 Kudos
Unon
Participant
‎2024-02-26 01:43 PM
In response to the_rock
Jump to solution

I will and once more really thank you for all your time and effort

the_rock
Legend
Legend
‎2024-02-26 01:58 PM
In response to Unon
Jump to solution

Fyfoc=for you free of charge 😉

0 Kudos
the_rock
Legend
Legend
‎2024-02-26 08:53 AM
In response to Unon
Jump to solution

Screenshot_1.png

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events