This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jonathan_Langle
Participant
‎2018-12-06 02:04 PM

Identity Collector Setup

I am trying to experiement with the Identity Collector for IA. I have Identity Collector installed on Windows Server with our DCs and it has made a success SIC connection to one of our Gateways WIth Browser-Based Auth and Identity Collector Selected for its Sources. whenever I go to create an Access Role for my test user, I do not see my Identity Collector as a source under Specific users/Groups area, only the LDAP Account units from our AD Query set up. Am I missing something or doing something wrong here?

8 Replies
PhoneBoy
Admin
Admin
‎2018-12-07 01:04 PM

That's expected behavior.

Identity Collector is used to acquire users from Active Directory to the Security Gateways.

The groups those users are associated with are queried via LDAP.

Access Roles are also defined in terms of LDAP groups. 

Jonathan_Langle
Participant
‎2018-12-10 06:17 AM
In response to PhoneBoy

So how would i create a security rule to allow access to a specific site to a use with identity collector? I guess that is where I am lost.

0 Kudos
Ole_Jakobsen
Contributor
‎2019-01-17 11:54 PM
In response to Jonathan_Langle

I have the same exact problem.

 

My collector collects events and logins from AD. I have gateways setup with Identity Collector access and they are connected.

 

In my GUI for Identity Collector, I can check that it looks logins in the "Logins Monitor" pane, and I see that it is connected and sends event to gateways in the "Gateways" panel.

My configuration is done according to the instructions "CP_R80.20_IdentityAwareness_AdminGuide.pdf".

But at the gate I can't see the identities when I try to create a new access role.

Also, in the logs in the gateway I see only "Error log" and "User Logout" events.

What am I missing? Where will the identity be created in the identity?

I hope someone can help clarify this Smiley Happy I can't finde any sk that does that.

Cheers

Ole

0 Kudos
PhoneBoy
Admin
Admin
‎2019-01-18 06:48 AM
In response to Ole_Jakobsen

Access Roles are defined in terms of LDAP Groups, not individual users.

The only pace you will see individual users is in the logs.

If you're not seeing any LDAP Groups when you create an Access Role, it suggests you have either not configured LDAP Account Units or there is a misconfiguration.

Ole_Jakobsen
Contributor
‎2019-01-28 12:06 AM
In response to PhoneBoy

So just to clarify, for myself, Identity Collector is used populate LDAP groups retrieved from LDAP/AD via Account Units. Correct?

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2019-01-28 05:01 AM
In response to Ole_Jakobsen

No, the IC parses the domain security log entries and forms mappings for LAN IP addresses to a username, and sends that information to the gateway who places it into its IA cache.  Upon receipt of the new mapping, the gateway itself directly queries AD to retrieve the mapped user's group memberships and keeps them up to date.  If you want to look directly in the gateways IA cache for troubleshooting purposes, please see my response in this thread:

https://community.checkpoint.com/message/38332-re-app-control-ignoring-a-rule?commentID=38332#commen... 

--

CheckMates Break Out Sessions Speaker

CPX 2019 Las Vegas & Vienna - Tuesday@13:30

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
Ole_Jakobsen
Contributor
‎2019-02-07 03:31 AM
In response to Timothy_Hall

Thanks for your answer Timothy. That clarifies some things for me Smiley Happy

Is it the same thing with IC and Cisco ISE?

 

If IC retrieves User/IP mapping from Cisco ISE and sends them to the GW to be stored in the IA cache. Do the GW then query ISE for "SGT" membership or is the membership included in the information from ISE and the populated to the "Identity Tag" that is manually created according to Identity Awareness Admin Guide as CSGT-<SGT_NAME>?

PhoneBoy
Admin
Admin
‎2019-02-08 02:08 PM
In response to Ole_Jakobsen

It still works the same way, more or less:

  • Identity comes from Cisco ISE in the form of name, machine, and IP
  • Groups come from LDAP

With Cisco ISE, there is an additional mechanism that leverages the CSGT-<Name> tags via the 

CloudGuard Controller: CloudGuard Controller R80.20 Administration Guide 

You can create rules based on these tags once they are defined.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top