r 77.30 release notes show the same thing as the r80.10. It says you can use it to exclude and include, but no details as to how the exclusions work. (Does include inherently exclude all non included networks?)

Royi Priov‌ - could you help here pls?

That's what I would assume as well. The features seem almost mutually exclusive, kinda like a fail open or fail close. I wonder which one is determined first, the exclude or the include?

It does make no sense to use both - this filters the data from Collector before forwarding it to the GWs. As explained in the documentation, this comes handy to filter unnecessary data. The other side would be a kind of whitelist, limiting which data shall be forwarded to the GWs, that can be usefull under special circumstances.

It does make sense to use both. Example:

1. Include: 10.105.0.0/16
2. Exclude: 10.105.20.0/24

I agree with David, the R80.10 and R80.20 documentation regarding the Identity Collector does not have the right quality.

It looks like it's done on purpose, in order to sell professional services, isn't it?

Kris Pellens wrote:

It looks like it's done on purpose, in order to sell professional services, isn't it?

Hi Kris,

I really feel sorry this is your opinion.

Taking this into the constructive side, I will appreciate if you could tell me what you are missing in our documentation.

Thanks,

Royi Priov

Team Leader, Identity Awareness R&D.

Hello Royi,

Thank you for your feedback. We're currently implementing Identity Management (using Microsoft Active Directory and Cisco ISE).

At the moment, we have the following set up:

1. A VSX/VSLS cluster (R80.20)
2. A Security Management Server (R80.20)
3. Identity Collector (sk134312)
4. Identity Agent Terminal Server (sk134312), running on Windows 2012

The online documentation (i.e. the Identity Awareness R80.20 Administration Guide) is not reflecting those updates. It would be nice to have the online documentation be aligned with the latest updates.

We're also experiencing connections issues on the terminal servers.

Since the installation of the Terminal Server Agent, sometimes all tcp ports on the server are occupied (port starvation); resulting in connection errors (hence: user frustration). The number of users is less than 20.

Today, we've experienced a TS crash, caused by the agent:

(A TAC case has been opened for that).

The Check Point community is also asking for a best practices and configuration document on how to integrate Check Point Identity with Cisco ISE. Is this something you can provide, because your team did the tests up to ISE 2.4.

Many thanks.

Kind regards,

Kris

Please explain what this comment has to do with the topic Identity Collector Exclusion List ?

So if I have nothing in the inclusion list, everything with pass.

If I have 1 subnet in the inclusion list, only that subnet will pass.

Is that correct? 

Hello All,

I still have a question regarding the Include / Exclude option for identities.

Currently I have an Identity Filter that excludes all service Accounts (regex identity svc*), yet we need to include an account named svcJohnDoe. So I added a new Include entry for that account, but is still not seen by the gateways.

According to your explanation, both should be applied, but it seems to me that the exclusion is overriding the include entry.

Can you please help?

Kind regards,

Nuno Ramalho