This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
NorthernNetGuy
Advisor
‎2018-10-24 05:34 AM
Jump to solution

Identity Collector Exclusion List

If you leave the excluded and included items blank, are all items sent, or do you have to specify all networks you want to include?

If I add one subnet in the included list, does that mean everything else is excluded, even if not defined in the excluded list?

There's no real documentation I can find for this. The Identity awareness guide just says "Defines IP addresses and networks to include or exclude".

I would just like to test Identity Collector in one subnet, and exclude that subnet from AD Query.

1 Solution

Accepted Solutions
Royi_Priov
Employee
Employee
‎2018-10-31 05:16 AM
In response to NorthernNetGuy
Jump to solution

correct.

Thanks,
Royi Priov
R&D Group manager, Infinity Identity

View solution in original post

13 Replies
G_W_Albrecht
Legend Legend
Legend
‎2018-10-24 07:14 AM
Jump to solution

You find more information in the Identity Collector R77.30 Release Notes.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
NorthernNetGuy
Advisor
‎2018-10-24 07:19 AM
In response to G_W_Albrecht
Jump to solution

r 77.30 release notes show the same thing as the r80.10. It says you can use it to exclude and include, but no details as to how the exclusions work. (Does include inherently exclude all non included networks?)

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee
‎2018-10-24 07:25 AM
In response to NorthernNetGuy
Jump to solution

Royi Priov‌ - could you help here pls? Smiley Happy

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-10-24 07:27 AM
Jump to solution

I would assume that basic principles of logic do apply Smiley Happy. Main feature here is optimization by excluding unnecessary information, but it makes also possible to strictly limit the collected information by using include.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
NorthernNetGuy
Advisor
‎2018-10-24 07:41 AM
In response to G_W_Albrecht
Jump to solution

That's what I would assume as well. The features seem almost mutually exclusive, kinda like a fail open or fail close. I wonder which one is determined first, the exclude or the include?

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-10-24 07:56 AM
In response to NorthernNetGuy
Jump to solution

It does make no sense to use both - this filters the data from Collector before forwarding it to the GWs. As explained in the documentation, this comes handy to filter unnecessary data. The other side would be a kind of whitelist, limiting which data shall be forwarded to the GWs, that can be usefull under special circumstances.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Kris_Pellens
Collaborator
‎2018-10-24 01:26 PM
In response to G_W_Albrecht
Jump to solution

It does make sense to use both. Example:

  1. Include: 10.105.0.0/16
  2. Exclude: 10.105.20.0/24

I agree with David, the R80.10 and R80.20 documentation regarding the Identity Collector does not have the right quality.

It looks like it's done on purpose, in order to sell professional services, isn't it?

0 Kudos
Royi_Priov
Employee
Employee
‎2018-10-24 10:23 PM
In response to Kris_Pellens
Jump to solution

Kris Pellens wrote:

It looks like it's done on purpose, in order to sell professional services, isn't it?

Hi Kris,

I really feel sorry this is your opinion.

Taking this into the constructive side, I will appreciate if you could tell me what you are missing in our documentation.

Thanks,

Royi Priov

Team Leader, Identity Awareness R&D.

Thanks,
Royi Priov
R&D Group manager, Infinity Identity
0 Kudos
Kris_Pellens
Collaborator
‎2018-10-26 04:09 AM
In response to Royi_Priov
Jump to solution

Hello Royi,

Thank you for your feedback. We're currently implementing Identity Management (using Microsoft Active Directory and Cisco ISE).

At the moment, we have the following set up:

  1. A VSX/VSLS cluster (R80.20)
  2. A Security Management Server (R80.20)
  3. Identity Collector (sk134312)
  4. Identity Agent Terminal Server (sk134312), running on Windows 2012

The online documentation (i.e. the Identity Awareness R80.20 Administration Guide) is not reflecting those updates. It would be nice to have the online documentation be aligned with the latest updates.

We're also experiencing connections issues on the terminal servers.

Since the installation of the Terminal Server Agent, sometimes all tcp ports on the server are occupied (port starvation); resulting in connection errors (hence: user frustration). The number of users is less than 20.

Today, we've experienced a TS crash, caused by the agent:

(A TAC case has been opened for that).

The Check Point community is also asking for a best practices and configuration document on how to integrate Check Point Identity with Cisco ISE. Is this something you can provide, because your team did the tests up to ISE 2.4.

Many thanks.

Kind regards,

Kris

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-10-31 03:58 AM
In response to Kris_Pellens
Jump to solution

Please explain what this comment has to do with the topic Identity Collector Exclusion List ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Royi_Priov
Employee
Employee
‎2018-10-24 10:25 PM
Jump to solution

Hi,

As written here, when identity is received on the Identity collector, in order to be sent to the gateway, it should pass all filters for both global and local gateway filter (available in our latest version - sk134312).

Therefore, if there are both inclusion and exclusion lists, both filters will be applied.

Thanks,

Royi Priov

Team Leader, Identity Awareness R&D.

Thanks,
Royi Priov
R&D Group manager, Infinity Identity
0 Kudos
NorthernNetGuy
Advisor
‎2018-10-25 05:28 AM
In response to Royi_Priov
Jump to solution

So if I have nothing in the inclusion list, everything with pass.

If I have 1 subnet in the inclusion list, only that subnet will pass.

Is that correct? 

0 Kudos
Royi_Priov
Employee
Employee
‎2018-10-31 05:16 AM
In response to NorthernNetGuy
Jump to solution

correct.

Thanks,
Royi Priov
R&D Group manager, Infinity Identity

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events