Solved: Re: AD Quary to Identity collector

VIKAS1 · ‎2025-07-28

Hi Team,

We are using 9100 with ClusterXL Activity and standby configuration. R81.20 with JHF 99, along with Mobile access vpn with SNX. we are facing issue with user-based policy.

raised the TAC ticket they suggested to go with Identity collector.

I required help to configure the Identity collector on my gateway on running setup.

1) Checkpoint model-9100 -R81.20, JHF 99

2) Management box -1smart 600 with R81.20 , JHF 99.

3) VPN- Mobile access vpn with SNX

Lesley · ‎2025-07-30

LDAP fetch timer can be changed:

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_IdentityAwareness_AdminGuide...

IDC collector software is good. FW software also, no open bugs for this blade.

-------
If you like this post please give a thumbs up(kudo)! 🙂

View solution in original post

G_W_Albrecht · ‎2025-07-28

https://sc1.checkpoint.com/documents/Identity_Awareness_Clients_Admin_Guide/Content/Topics-IA-Client...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Lesley · ‎2025-07-28

Maybe start with the how to guide and try to follow it. If you get stuck ask for help here.

I can post the whole process but it is documented already.

-------
If you like this post please give a thumbs up(kudo)! 🙂

VIKAS1 · ‎2025-07-28

thnks, i have flow the admin guide and configure the identity collector

but when i run the pdc idc status below logs

[Expert@EMB-SJRM2-FW02:0]# pdp idc status
Identity Collector IP: 10.000.00.11---ip edited
Identity Collector status: Connected

Identity Sources:
No information about identity sources

Lesley · ‎2025-07-29

This is a normal message that shows on all my setups with working IDC. Are there any specific issues?

-------
If you like this post please give a thumbs up(kudo)! 🙂

VIKAS1 · ‎2025-07-29

Some time we are not getting logs for the users, also when i run the same cli command on another standby gateway then below output i will get. ..both gateway are on active and standby.

[Expert@EMB-SJRM2-FW01:0]# pdp idc status
No connected Identity Collectors

is there any thing to be change on setting where we can reduce the sync

attached some snap fyi...

Lesley · ‎2025-07-29

screenshots look good. What version IDC you use? With reduce sync, do you mean if you change something in AD, for example add user to AD group, it takes long for the firewall to be aware of this change?

What version you run on GW? cpinfo -y all

-------
If you like this post please give a thumbs up(kudo)! 🙂

VIKAS1 · ‎2025-07-29

Thanks for update, IDC version 82.126.0000, if you see the output below , i have highlighted on bold it's said that NEXT Ldap fath time almost more then 3hrs.

[Expert@EMB-SJRM2-FW02:0]# pdp m user emb-kagir

Session: 33a4fc74

Session UUID: {9A499F46-1573-FA66-F1DC-8C7464657172}

Ip: 10.199.10.116

Users: emb-kagir@bitel.local {1c791521}

LogUsername: Kumar Giri (emb-kagir)

Groups: All Users;LDAP;LDAP_SSL_VPN;ad_user_Kumar_Giri

Roles: All_Users;DMC_Teamviewer_Access;DeveloperSite_AccessGroup;Google_Drive_Access_Group;ID-Awareness;IT_Team;IT_VPN_testing;Youtube_Access_Group

Client Type: Identity Collector (Active Directory)

Authentication Method: Trust

Distinguished Name: CN=Kumar Giri,OU=ActiveUsers,OU=bitel-Users,DC=bitel,DC=local

Connect Time: Tue Jul 29 12:51:55 2025

Next Reauthentication: Wed Jul 30 02:24:01 2025

Next Connectivity Check: -

Next Ldap Fetch: Tue Jul 29 15:26:14 2025

Packet Tagging Status: Not Active

Published Gateways: Local

[Expert@EMB-SJRM2-FW02:0]# cpinfo -y all

This is Check Point CPinfo Build 914000250 for GAIA
[MGMT]
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 99
[IDA]
No hotfixes..
[CPFC]
HOTFIX_TEX_ENGINE_R8120_AUTOUPDATE
[FW1]
HOTFIX_TEX_ENGINE_R8120_AUTOUPDATE
HOTFIX_INEXT_NANO_EGG_AUTOUPDATE
HOTFIX_R80_40_MAAS_TUNNEL_AUTOUPDATE
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 99
HOTFIX_PUBLIC_CLOUD_CA_BUNDLE_AUTOUPDATE
HOTFIX_GOT_TPCONF_AUTOUPDATE

FW1 build number:
This is Check Point's software version R81.20 - Build 046
kernel: R81.20 - Build 053
[SecurePlatform]
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 99
HOTFIX_GAIA_API_AUTOUPDATE
HOTFIX_ENDER_V17_AUTOUPDATE
[CPinfo]
No hotfixes..
[PPACK]
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 99
[AutoUpdater]
HOTFIX_INFRA_CONFIG_AUTOUPDATE
[DIAG]
No hotfixes..
[CVPN]
HOTFIX_ESOD_SWS_AUTOUPDATE
HOTFIX_ESOD_SCANNER_AUTOUPDATE
HOTFIX_ESOD_CSHELL_AUTOUPDATE
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 99
[core_uploader]
HOTFIX_CHARON_HF
[CPUpdates]
BUNDLE_TEX_ENGINE_R8120_AUTOUPDATE Take: 15
BUNDLE_GAIA_API_AUTOUPDATE Take: 7
BUNDLE_ESOD_SWS_AUTOUPDATE Take: 14
BUNDLE_ESOD_SCANNER_AUTOUPDATE Take: 10
BUNDLE_INEXT_NANO_EGG_AUTOUPDATE Take: 23
BUNDLE_GENERAL_AUTOUPDATE Take: 21
BUNDLE_INFRA_CONFIG_AUTOUPDATE Take: 10
BUNDLE_INFRA_AUTOUPDATE Take: 72
BUNDLE_DEP_INSTALLER_AUTOUPDATE Take: 31
BUNDLE_R80_40_MAAS_TUNNEL_AUTOUPDATE Take: 68
BUNDLE_ESOD_CSHELL_AUTOUPDATE Take: 20
BUNDLE_CPVIEWEXPORTER_AUTOUPDATE Take: 75
BUNDLE_QUID_AUTOUPDATE Take: 48
BUNDLE_CPOTLPAGENT_AUTOUPDATE Take: 115
BUNDLE_CPOTELCOL_AUTOUPDATE Take: 192
BUNDLE_ENDER_V17_AUTOUPDATE Take: 26
BUNDLE_R81_20_JUMBO_HF_MAIN Take: 99
BUNDLE_PUBLIC_CLOUD_CA_BUNDLE_AUTOUPDATE Take: 21
BUNDLE_HCP_AUTOUPDATE Take: 84
BUNDLE_GOT_TPCONF_AUTOUPDATE Take: 158
BUNDLE_CPSDC_AUTOUPDATE Take: 34
BUNDLE_CORE_FILE_UPLOADER_AUTOUPDATE Take: 23
[cpsdc_wrapper]
HOTFIX_CPSDC_AUTOUPDATE
[hcp_wrapper]
HOTFIX_HCP_AUTOUPDATE
[CPDepInst]
No hotfixes..
[CPotelcol]
HOTFIX_OTLP_GA
[CPotlpAgent]
HOTFIX_OTLP_GA
[CPquid]
HOTFIX_QUID_AUTOUPDATE
[CPviewExporter]
HOTFIX_OTLP_GA

[Expert@EMB-SJRM2-FW02:0]#

I am facing issue with ldap fetch time and also some time user logs are not getting.

Lesley · ‎2025-07-30

LDAP fetch timer can be changed:

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_IdentityAwareness_AdminGuide...

IDC collector software is good. FW software also, no open bugs for this blade.

-------
If you like this post please give a thumbs up(kudo)! 🙂

VIKAS1

Hi,

I have gone through recent Americas Deep Dive: Identity Awareness Best Practices , Is it required to installed Agen in all user machine?

Chris_Atkinson

The IDC itself no.

The Identity Agent(s) still no, but it likely provides a better enforcement / outcome.

CCSM R77/R80/ELITE

Lesley

Laptop with one user on it no. Vdi machine with 10 it would be very helpful. Tip if there are more users on 1 ip an agent will be handy

-------
If you like this post please give a thumbs up(kudo)! 🙂

PhoneBoy

Multi-user systems require an Identity Agent to differentiate traffic from different users on the same machine.
Without an identity agent installed, roaming users may not get their identity updated when they change locations (and thus IP address).

Are you a member of CheckMates?

AD Quary to Identity collector