Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jonathan_Langle
Participant

Identity Collector Setup

I am trying to experiement with the Identity Collector for IA. I have Identity Collector installed on Windows Server with our DCs and it has made a success SIC connection to one of our Gateways WIth Browser-Based Auth and Identity Collector Selected for its Sources. whenever I go to create an Access Role for my test user, I do not see my Identity Collector as a source under Specific users/Groups area, only the LDAP Account units from our AD Query set up. Am I missing something or doing something wrong here?

8 Replies
PhoneBoy
Admin
Admin

That's expected behavior.

Identity Collector is used to acquire users from Active Directory to the Security Gateways.

The groups those users are associated with are queried via LDAP.

Access Roles are also defined in terms of LDAP groups. 

Jonathan_Langle
Participant

So how would i create a security rule to allow access to a specific site to a use with identity collector? I guess that is where I am lost.

0 Kudos
Ole_Jakobsen
Contributor

I have the same exact problem.

 

My collector collects events and logins from AD. I have gateways setup with Identity Collector access and they are connected.

 

In my GUI for Identity Collector, I can check that it looks logins in the "Logins Monitor" pane, and I see that it is connected and sends event to gateways in the "Gateways" panel.

My configuration is done according to the instructions "CP_R80.20_IdentityAwareness_AdminGuide.pdf".

But at the gate I can't see the identities when I try to create a new access role.

Also, in the logs in the gateway I see only "Error log" and "User Logout" events.

What am I missing? Where will the identity be created in the identity?

I hope someone can help clarify this Smiley Happy I can't finde any sk that does that.

Cheers

Ole

0 Kudos
PhoneBoy
Admin
Admin

Access Roles are defined in terms of LDAP Groups, not individual users.

The only pace you will see individual users is in the logs.

If you're not seeing any LDAP Groups when you create an Access Role, it suggests you have either not configured LDAP Account Units or there is a misconfiguration.

Ole_Jakobsen
Contributor

So just to clarify, for myself, Identity Collector is used populate LDAP groups retrieved from LDAP/AD via Account Units. Correct?

0 Kudos
Timothy_Hall
Legend Legend
Legend

No, the IC parses the domain security log entries and forms mappings for LAN IP addresses to a username, and sends that information to the gateway who places it into its IA cache.  Upon receipt of the new mapping, the gateway itself directly queries AD to retrieve the mapped user's group memberships and keeps them up to date.  If you want to look directly in the gateways IA cache for troubleshooting purposes, please see my response in this thread:

https://community.checkpoint.com/message/38332-re-app-control-ignoring-a-rule?commentID=38332#commen... 

--

CheckMates Break Out Sessions Speaker

CPX 2019 Las Vegas & Vienna - Tuesday@13:30

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Ole_Jakobsen
Contributor

Thanks for your answer Timothy. That clarifies some things for me Smiley Happy

Is it the same thing with IC and Cisco ISE?

 

If IC retrieves User/IP mapping from Cisco ISE and sends them to the GW to be stored in the IA cache. Do the GW then query ISE for "SGT" membership or is the membership included in the information from ISE and the populated to the "Identity Tag" that is manually created according to Identity Awareness Admin Guide as CSGT-<SGT_NAME>?

PhoneBoy
Admin
Admin

It still works the same way, more or less:

  • Identity comes from Cisco ISE in the form of name, machine, and IP
  • Groups come from LDAP

With Cisco ISE, there is an additional mechanism that leverages the CSGT-<Name> tags via the 

CloudGuard Controller: CloudGuard Controller R80.20 Administration Guide 

You can create rules based on these tags once they are defined.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events