Q&A is below the video.
Slides are posted at the end.
Is OIDC supported for integrations?
R&D are improving the integrations with external Identity Sources and Identity Providers and there are many changes coming soon. We will arrange a future session to cover OIDC and others. so we will be arranging a future session to cover OIDC and others.
Since the IP to user mapping are on the PDP tables, isn't the default timeout is 7 days ? But i saw Kerberos tickets is 10 hours.
The default TTL of an Identity Session is 12 hours, not 7 days.
How are Terminal Servers (multi-user hosts) handled?
For multi-user hosts, we recommend installing the Multi-User Host agent.
We have an AD on 2022, so we use identity awareness. we have a message on firewall that a secondary session request was received from the same Ip. This caused logout of the current session. How to solve that?
In most environments, Identity Awareness assumes that only one user is logged into a single machine. If another user logs in, or if there is activity under a system account, this can sometimes cause this issue. This can be adjusted per: https://support.checkpoint.com/results/sk/sk105889
On computers/laptops how are service accounts handle in regards to logged on user. Is it best practice to exclude service accounts from being learned ?
There are options to ignore service and system accounts so that service account activity doesn't overwrite the Identity Session of the real human user.
Does this only work with Active Directory, or also LDAP?
Identity Agents all work against Active Directory only at present. Groups are queried via LDAP (usually AD). There are other ways to acquire identities, but only LDAP or SAML can be used to get group information necessary.
Are there any limitations or special recommendations for using Maestro (with or without VSX)?
Please refer to the following SK for guidance: https://support.checkpoint.com/results/sk/sk175587
How about Quantum Spark support for Identity Collector?
For centrally managed devices (e.g. with Smart-1 or Smart-1 Cloud), this is supported. For locally managed devices, it is not possible to use Identity Collector at this time.
How are user identities acquired?
Depends on the identity source. For Active Directory, we read the security logs using Identity Collector to get the user login information. For Entra ID or other SAML provider, it is read as part of the SAML assertion, which requires the gateway to be inline and be configured with Captive Portal.
We have a case where clients are sitting in a shared office area. We want to use CP IA as a NAC solution. Still, the concern is that we will need to permit "at least" network traffic related to the authentication process from the client network to the AD server to be able to obtain Kerberos Ticket. Is there a way to proxy these requests via PDP gateway to prevent clients from communicating directly with AD?
There are a couple of ways to achieve this, yes. The first that comes to mind is to use the Captive Portal in Identity Awareness. This would require the user to attempt to access something on the 'other' side of the security gateway. The gateway will then present the portal, and the user can input their AD credentials.
Our new clients will not be AD joined. What would be a good why to authenticate users agains Entra ID?
It’s not strictly required for machines to be AD-joined unless you’re using Identity Collector. Otherwise, all the other mechanisms can be used (including Entra ID).
If we have one gateway in a branch office and another set of gateways in a DC, is it necessary to activate Identity Awareness Blade on all gateways?
It is necessary to enable Identity Awareness on all gateways that enforce traffic based on identities.
The MUH agent currently has limitations. For example, it can't identify user initiated SMB traffic due to limitations in the way Windows works. Are any other solutions for large terminal server environments available or planned for the future?
Yes! MUH is under constant development. Please bring specific concerns through your local Check Point office.
What is your experience with SID support?
SID support was added in R81. Information to configure can be found in the Identity Awareness Administration Guide for your version. If you've upgraded from a version prior to R81, refer to: https://support.checkpoint.com/results/sk/sk181946
What is the best practice for outgoing Client PCs subject to NAT and identity awareness?
There isn't a relationship between NAT and Identity Awareness in the most part. However, if the traffic passes outbound through 2 layers of gateways and is NATed at the first layer, then the second will not be able to identify the user. In this case, you would need to change the way NAT was implemented so that the second layer of gateways could identify the true source IP, or avoid using Identity-based security on the second layer.
What type of AD permissions does the Gateway need to read AD?
It needs access to read the event log only. It doesn't need write permissions.
Is Identity Awareness integrable with an “open-source domain controller” (SAMBA - AD) ?
We don’t have specific support for it. If you have this as a requirement, please approach your local office with an RFE.
The identity collector admin guide mentions that it can work with a maximum of 35 domain controllers. How would you approach a domain with well over 100 DC's and no centralized source for the security event logs?
Usually this will require multiple IDCs connected with the various servers. For best scalability, you should be using the latest release (R81.20), which offers better scalability for these purposes.
What is the difference between an LDAP query from Gateway to AD and Identity Collector? I have both configured in my environment.
Identity Collector only gets the users without information about groups. Groups are obtained from LDAP by the gateway. Both are required.
Identity Awareness was in the past always "a battle" between amount of users and number of PDP / PEPs. Are there now any improvements planned to handle 10k users without setting up several gateways only for Identity handling?
Yes, there have been improvements made already (in R81.20), and more planned. PDP is now multi-threaded and is more capable of learning Identities and sharing them to PEPs without the same load problems we have seen in the past.
Is Identity Session Sharing valid for all Identity Sources (Identity Collector, MuHv2, RADIUS, Identity Providers, Captive Portal, Remote Access) and is it recommended to have a dedicated gateway in a Management Domain?
Identity Sharing applies to all sources. Depending on your exact scale, you may need to have a dedicated gateway to run pdp,
For AD with more than 150,000 do you have any recommendations for implementation?
We have some documentation here in https://support.checkpoint.com/results/sk/sk88520, but at this scale I would recommend a consultation with one of our SMEs here at Check Point to ensure your design will be successful.
Can you comment on sk180948 (SAML force auth every time for Remote Access)? Clients have asked for this but seems to be not officially supported by Check Point.
The best practice is to configure this setting on the Identity Provider, not on the Service Provider, which is what the gateway is in the context of SAML. We also cannot guarantee what the Identity Provider will do when they receive a ForceAuthn=true attribute. Also, this setting also applies for any Identity Providers configured on the gateway and will break SSO.
The identity broker feature is configured in some specific files, is in roadmap to configure this feature via SmartConsole?
No confirmed roadmap for this. Please consult with your local Check Point office.
Until when will be available the use of ADQuery?
Right now, there are no plans to deprecate support for ADQuery. However, ADQuery relies on WMI, which Microsoft has made numerous changes to Windows in response to various security vulnerabilities. As a direct result of these changes, domain administrator credentials are required on the gateway to use ADQuery, which many organizations find risky. Microsoft may make additional changes in the future that break ADQuery.
We recommend all customers using ADQuery to move to Identity Collector.
Is the Identity Broker a standard Gaia installation but with a specific role ? Is these services included in standard installation ?
Identity Broker is a standard feature and can be set up on any gateway that has Identity Awareness enabled. In large infrastructures, there are sometimes dedicated PDP brokers to share large numbers of identities across the organisation.
We have several sites (at Europe, Asia, Africa...). But we have only two PDP. Is this better to have a PDP on each site?
This is considered best practice, yes. More precisely, identities should be acquired “as close to the user as possible.”
How to handle sessions when user uses Windows "Run as administrator"?
We do not track local privilege escalations at this time.
Currently, we are using Check Point IC for on-prem AD join PC with AD Query option and send user identity to SG. Now most of the customer are moving on-prem AD join PC to modern workplace/cloud PC (Azure AD join) where we are missing user to IP mapping feature with AD query option. Does Check Point have any solution to get Azure AD join PC user & IP mapping info to security gateway through IC using AD query option?
You cannot use ADQuery with Azure/Entra ID. You must configure SAML in this case, which uses Captive Portal to capture the authentication from the user and capture the relevant groups from the SAML Assertion.
Does Identity Collector works with say two active directories which are syndicated. Both AD’s have to be used as it’s a merger of two companies and two AD’s
Yes, Identity Collector can learn from multiple AD servers (and indeed from AD and Cisco ICE at the same time). As Peter stated in his presentation, use of Global Catalog servers is recommended if they are available.
Can I have 2 identity collector (main and backup)? How can i configure them on a firewall?
Yes you can, and it's a recommended method to create a resilient infrastructure. You can configure the PDP with the details of both IDCs and give them a priority. The PDP will recieve duplicate identity information from both IDCs and will consolidate them into a single Identity Session record.
Can the Identity Collector on prem be linked to both internal AD and Azure AD? we lost visibility of clients managed by Intune and Azure AD!
Both can be used at the same time, yes.
What is the best practice, if we have roaming users? meaning switching from LAN to WLAN and therefore chaneing IP address without getting new kerberos tickets. Is the identity collector getting the IP changes?
Locally-installed Identity Agents are recommended for this use case.
Any plans to install ID Collector on Linux or have an Identity Agent for Linux?
Not at present. Please contact your local Check Point office if you have this requirement. However, you can potentially leverage the Identity Awareness API to "roll your own."
Identity Collector should be installed in AD Dom Controllers or just a server joined to the domain?
Any server (doesn’t even have to be AD-joined) assuming it has access to the AD server.
Do we need to use Identity Collector if we are using a SAML provider as an Identity Source?
Identity Collector is only relevant for on-premise Active Directory.
Is there any way to avoid creating different pdp across each domain and use one single global pdp and make it use towards pep across all other domain in MDM env?
We have a number of global customers who have a central PDP infrastructure that learns all the identities, then shares the created Identity Sessions with all the PEP gateways. I would recommend that you have a conversation with one of our Identity Awareness experts to design the best architecture. Please contact your local Check Point office.
Is it preferred to have IDC in each country or just share idenitites between gateways?
It's best practice to learn the identities with Identity Collector as close to the source (AD server, Cisco ICE) as possible. In large infrastructures with (10k users plus), these identities are usually then passed to a local PDP so that access in the local office is allowed. The PDP then shares the Identity to a central PDP infrastructure for onward sharing to the other countries. In smaller organisations, the number of PDPs can be reduced. Your Check Point account manager or SE should be able to find you to an expert to help you work out a scalable and resilient Identity Awareness architecture that suits your needs and size.
Do I need Identity Collector if I already have a IA appliance in my infrastructure ?
ID Collector is the best way to learn Identities from on-premise Active Directory. It will then pass the Identity information to the IA gateway.
Is Check Point recommending enforcing an IA rule twice during a flow. In our case, the traffic flows through two Check Point firewalls, both of which have Identity Awareness enabled.
This is a good question! Yes, we do recommend that Identity-based security is enforced at all gateways that the traffic passes through. The Identity Sharing topics that Peter is discussing allow all gateways in the infrastructure to know about all the logged-in users and apply policy at all points in the network.
How are actually managed multiple users logged to a machine? Even with the ID collector I often see logs of users who previously connected to a client, or maybe left a session open, and not the current user.
Only login events are read. To ensure only the current user is allowed, see: https://support.checkpoint.com/results/sk/sk105889
What should you use to manage identity on PC shared by different users (multiple logins)?
Install the Multi-User Host agent (v2), which supports Windows 10 multi-session as well as terminal servers: https://support.checkpoint.com/results/sk/sk177024
Can you please explain the User/IP association timeout setting? Does this mean that is caching somewhere an IP with user access. What happens if user looses connection and another one hets same IP from DHCP? Does he get access or cache resets?
If a user IP address is expected to change, then it is recommend to use an Identity Agent to ensure accurate mapping of users to IP addresses. Otherwise, the association will be incorrect until a login event is generated and read by the relevant identity source.
Today we use remote access to authenticate against LDAP (AD) and MFA using RADIUS (NPS extension). We are moving toward domain-less, Entra ID environment. How will IA be able to work in that environment?
Remote Access clients can authenticate via Entra ID as well. Refer to:
Video will be posted soon.
Is OIDC supported for integrations?
R&D are improving the integrations with external Identity Sources and Identity Providers and there are many changes coming soon. We will arrange a future session to cover OIDC and others. so we will be arranging a future session to cover OIDC and others.
Since the IP to user mapping are on the PDP tables, isn't the default timeout is 7 days ? But i saw Kerberos tickets is 10 hours.
The default TTL of an Identity Session is 12 hours, not 7 days.
How are Terminal Servers (multi-user hosts) handled?
For multi-user hosts, we recommend installing the Multi-User Host agent.
We have an AD on 2022, so we use identity awareness. we have a message on firewall that a secondary session request was received from the same Ip. This caused logout of the current session. How to solve that?
In most environments, Identity Awareness assumes that only one user is logged into a single machine. If another user logs in, or if there is activity under a system account, this can sometimes cause this issue. This can be adjusted per: https://support.checkpoint.com/results/sk/sk105889
On computers/laptops how are service accounts handle in regards to logged on user. Is it best practice to exclude service accounts from being learned ?
There are options to ignore service and system accounts so that service account activity doesn't overwrite the Identity Session of the real human user.
Does this only work with Active Directory, or also LDAP?
Identity Agents all work against Active Directory only at present. Groups are queried via LDAP (usually AD). There are other ways to acquire identities, but only LDAP or SAML can be used to get group information necessary.
Are there any limitations or special recommendations for using Maestro (with or without VSX)?
Please refer to the following SK for guidance: https://support.checkpoint.com/results/sk/sk175587
How about Quantum Spark support for Identity Collector?
For centrally managed devices (e.g. with Smart-1 or Smart-1 Cloud), this is supported. For locally managed devices, it is not possible to use Identity Collector at this time.
How are user identities acquired?
Depends on the identity source. For Active Directory, we read the security logs using Identity Collector to get the user login information. For Entra ID or other SAML provider, it is read as part of the SAML assertion, which requires the gateway to be inline and be configured with Captive Portal.
We have a case where clients are sitting in a shared office area. We want to use CP IA as a NAC solution. Still, the concern is that we will need to permit "at least" network traffic related to the authentication process from the client network to the AD server to be able to obtain Kerberos Ticket. Is there a way to proxy these requests via PDP gateway to prevent clients from communicating directly with AD?
There are a couple of ways to achieve this, yes. The first that comes to mind is to use the Captive Portal in Identity Awareness. This would require the user to attempt to access something on the 'other' side of the security gateway. The gateway will then present the portal, and the user can input their AD credentials.
Our new clients will not be AD joined. What would be a good why to authenticate users agains Entra ID?
It’s not strictly required for machines to be AD-joined unless you’re using Identity Collector. Otherwise, all the other mechanisms can be used (including Entra ID).
If we have one gateway in a branch office and another set of gateways in a DC, is it necessary to activate Identity Awareness Blade on all gateways?
It is necessary to enable Identity Awareness on all gateways that enforce traffic based on identities.
The MUH agent currently has limitations. For example, it can't identify user initiated SMB traffic due to limitations in the way Windows works. Are any other solutions for large terminal server environments available or planned for the future?
Yes! MUH is under constant development. Please bring specific concerns through your local Check Point office.
What is your experience with SID support?
SID support was added in R81. Information to configure can be found in the Identity Awareness Administration Guide for your version. If you've upgraded from a version prior to R81, refer to: https://support.checkpoint.com/results/sk/sk181946
What is the best practice for outgoing Client PCs subject to NAT and identity awareness?
There isn't a relationship between NAT and Identity Awareness in the most part. However, if the traffic passes outbound through 2 layers of gateways and is NATed at the first layer, then the second will not be able to identify the user. In this case, you would need to change the way NAT was implemented so that the second layer of gateways could identify the true source IP, or avoid using Identity-based security on the second layer.
What type of AD permissions does the Gateway need to read AD?
It needs access to read the event log only. It doesn't need write permissions.
Is Identity Awareness integrable with an “open-source domain controller” (SAMBA - AD) ?
We don’t have specific support for it. If you have this as a requirement, please approach your local office with an RFE.
The identity collector admin guide mentions that it can work with a maximum of 35 domain controllers. How would you approach a domain with well over 100 DC's and no centralized source for the security event logs?
Usually this will require multiple IDCs connected with the various servers. For best scalability, you should be using the latest release (R81.20), which offers better scalability for these purposes.
What is the difference between an LDAP query from Gateway to AD and Identity Collector? I have both configured in my environment.
Identity Collector only gets the users without information about groups. Groups are obtained from LDAP by the gateway. Both are required.
Identity Awareness was in the past always "a battle" between amount of users and number of PDP / PEPs. Are there now any improvements planned to handle 10k users without setting up several gateways only for Identity handling?
Yes, there have been improvements made already (in R81.20), and more planned. PDP is now multi-threaded and is more capable of learning Identities and sharing them to PEPs without the same load problems we have seen in the past.
Is Identity Session Sharing valid for all Identity Sources (Identity Collector, MuHv2, RADIUS, Identity Providers, Captive Portal, Remote Access) and is it recommended to have a dedicated gateway in a Management Domain?
Identity Sharing applies to all sources. Depending on your exact scale, you may need to have a dedicated gateway to run pdp,
For AD with more than 150,000 do you have any recommendations for implementation?
We have some documentation here in https://support.checkpoint.com/results/sk/sk88520, but at this scale I would recommend a consultation with one of our SMEs here at Check Point to ensure your design will be successful.
Can you comment on sk180948 (SAML force auth every time for Remote Access)? Clients have asked for this but seems to be not officially supported by Check Point.
The best practice is to configure this setting on the Identity Provider, not on the Service Provider, which is what the gateway is in the context of SAML. We also cannot guarantee what the Identity Provider will do when they receive a ForceAuthn=true attribute. Also, this setting also applies for any Identity Providers configured on the gateway and will break SSO.
The identity broker feature is configured in some specific files, is in roadmap to configure this feature via SmartConsole?
No confirmed roadmap for this. Please consult with your local Check Point office.
Until when will be available the use of ADQuery?
Right now, there are no plans to deprecate support for ADQuery. However, ADQuery relies on WMI, which Microsoft has made numerous changes to Windows in response to various security vulnerabilities. As a direct result of these changes, domain administrator credentials are required on the gateway to use ADQuery, which many organizations find risky. Microsoft may make additional changes in the future that break ADQuery.
We recommend all customers using ADQuery to move to Identity Collector.
Is the Identity Broker a standard Gaia installation but with a specific role ? Is these services included in standard installation ?
Identity Broker is a standard feature and can be set up on any gateway that has Identity Awareness enabled. In large infrastructures, there are sometimes dedicated PDP brokers to share large numbers of identities across the organisation.
We have several sites (at Europe, Asia, Africa...). But we have only two PDP. Is this better to have a PDP on each site?
This is considered best practice, yes. More precisely, identities should be acquired “as close to the user as possible.”
How to handle sessions when user uses Windows "Run as administrator"?
We do not track local privilege escalations at this time.
Currently, we are using Check Point IC for on-prem AD join PC with AD Query option and send user identity to SG. Now most of the customer are moving on-prem AD join PC to modern workplace/cloud PC (Azure AD join) where we are missing user to IP mapping feature with AD query option. Does Check Point have any solution to get Azure AD join PC user & IP mapping info to security gateway through IC using AD query option?
You cannot use ADQuery with Azure/Entra ID. You must configure SAML in this case, which uses Captive Portal to capture the authentication from the user and capture the relevant groups from the SAML Assertion.
Does Identity Collector works with say two active directories which are syndicated. Both AD’s have to be used as it’s a merger of two companies and two AD’s
Yes, Identity Collector can learn from multiple AD servers (and indeed from AD and Cisco ICE at the same time). As Peter stated in his presentation, use of Global Catalog servers is recommended if they are available.
Can I have 2 identity collector (main and backup)? How can i configure them on a firewall?
Yes you can, and it's a recommended method to create a resilient infrastructure. You can configure the PDP with the details of both IDCs and give them a priority. The PDP will recieve duplicate identity information from both IDCs and will consolidate them into a single Identity Session record.
Can the Identity Collector on prem be linked to both internal AD and Azure AD? we lost visibility of clients managed by Intune and Azure AD!
Both can be used at the same time, yes.
What is the best practice, if we have roaming users? meaning switching from LAN to WLAN and therefore chaneing IP address without getting new kerberos tickets. Is the identity collector getting the IP changes?
Locally-installed Identity Agents are recommended for this use case.
Any plans to install ID Collector on Linux or have an Identity Agent for Linux?
Not at present. Please contact your local Check Point office if you have this requirement. However, you can potentially leverage the Identity Awareness API to "roll your own."
Identity Collector should be installed in AD Dom Controllers or just a server joined to the domain?
Any server (doesn’t even have to be AD-joined) assuming it has access to the AD server.
Do we need to use Identity Collector if we are using a SAML provider as an Identity Source?
Identity Collector is only relevant for on-premise Active Directory.
Is there any way to avoid creating different pdp across each domain and use one single global pdp and make it use towards pep across all other domain in MDM env?
We have a number of global customers who have a central PDP infrastructure that learns all the identities, then shares the created Identity Sessions with all the PEP gateways. I would recommend that you have a conversation with one of our Identity Awareness experts to design the best architecture. Please contact your local Check Point office.
Is it preferred to have IDC in each country or just share idenitites between gateways?
It's best practice to learn the identities with Identity Collector as close to the source (AD server, Cisco ICE) as possible. In large infrastructures with (10k users plus), these identities are usually then passed to a local PDP so that access in the local office is allowed. The PDP then shares the Identity to a central PDP infrastructure for onward sharing to the other countries. In smaller organisations, the number of PDPs can be reduced. Your Check Point account manager or SE should be able to find you to an expert to help you work out a scalable and resilient Identity Awareness architecture that suits your needs and size.
Do I need Identity Collector if I already have a IA appliance in my infrastructure ?
ID Collector is the best way to learn Identities from on-premise Active Directory. It will then pass the Identity information to the IA gateway.
Is Check Point recommending enforcing an IA rule twice during a flow. In our case, the traffic flows through two Check Point firewalls, both of which have Identity Awareness enabled.
This is a good question! Yes, we do recommend that Identity-based security is enforced at all gateways that the traffic passes through. The Identity Sharing topics that Peter is discussing allow all gateways in the infrastructure to know about all the logged-in users and apply policy at all points in the network.
How are actually managed multiple users logged to a machine? Even with the ID collector I often see logs of users who previously connected to a client, or maybe left a session open, and not the current user.
Only login events are read. To ensure only the current user is allowed, see: https://support.checkpoint.com/results/sk/sk105889
What should you use to manage identity on PC shared by different users (multiple logins)?
Install the Multi-User Host agent (v2), which supports Windows 10 multi-session as well as terminal servers: https://support.checkpoint.com/results/sk/sk177024
Can you please explain the User/IP association timeout setting? Does this mean that is caching somewhere an IP with user access. What happens if user looses connection and another one hets same IP from DHCP? Does he get access or cache resets?
If a user IP address is expected to change, then it is recommend to use an Identity Agent to ensure accurate mapping of users to IP addresses. Otherwise, the association will be incorrect until a login event is generated and read by the relevant identity source.
Today we use remote access to authenticate against LDAP (AD) and MFA using RADIUS (NPS extension). We are moving toward domain-less, Entra ID environment. How will IA be able to work in that environment?
Remote Access clients can authenticate via Entra ID. See: https://support.checkpoint.com/results/sk/sk172909
