- Products
- Learn
- Local User Groups
- Partners
- More
Firewall Uptime, Reimagined
How AIOps Simplifies Operations and Prevents Outages
Introduction to Lakera:
Securing the AI Frontier!
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
SharePoint CVEs and More!
Hello,
One query, please.
Due to customer need, we require to implement the AI blade.
The customer has a quite large network (More than 2000 users).
I understand that there are 2 ways to integrate the Windows Server AD, by the AD Query / Identity Collector (correct me if I am wrong please).
I understand that the viable method for us would be to install some application in the same AD Windows Server.
I understand that this application is called IDENTITY COLLECTOR, right?
If my comment is true, downloading and installing this application, is it free or is it required to make a purchase from Checkpoint?
Are end users going to have to be forced to install some application on their computers?
Greetings.
Identity Collector can be installed on a Window machine in the same domain doesn't have to be the DC, no cost is involved specific to the collector.
Identity agents for the client PCs are not mandatory but will operate more effectively in some scenarios.
Hi Matlu,
Identity Collector is absolutely the way to go, AD Query is being deprecated, and in fact you have to jump through hoops to get that working nowadays.
You don't need to install it on a DC, a member server is fine. An active support contract will entitle you to the download, there is no separate charge.
There is an client that you can install on a client, but it should not be necessary from what I can see (in fact it's not necessary for the vast majority of use cases in my experience).
Thanks,
Ruan
Hello,
Can you share me the SK or WEB from where I could download the Identity Collector, please.
In addition to this, I understand that this application does not need to be installed in the same Windows Server we have, but in any station with privileges, certain ????
When activating the AI blade in the Cluster object from my SmartConsole, in order to work with the Identity Collector, I must select the option that I show in the image, correct?
Cheers
Hey bro,
Once IA blade is enabled, dont even bother going through the wizard, just cancel it, make sure blade shows as on and you can download collected from below option, just make sure its checked.
Andy
Hi, Bro.
The customer has serious doubts in implementing the agent.
Is it still feasible to use the AD Query mode, for a number of approx. 4k users?
Greetings.
Hey bro,
You can do that, but please show them below. We had few customers with same concern and now they are so happy they went with collector and they are actually bit upset they had not done it sooner.
Andy
These are the benefits of using Identity Collector instead of a standard AD QueryClosed:
Reduced load on the Security Gateway - Identity Collector does the queries instead of the Security Gateway
Reduced load on the Domain Controller (DC) - the native Windows API consumes fewer resources
Lower permissions required - Identity Collector requires read-only access to the domain security logs
No changes are required in the Active Directory (AD) schema.
One Identity Collector can serve multiple Security Gateways, even from a different Domain Management Servers on a Multi-Domain ServerClosed.
Identity Collector can communicate with a maximum of up to 35 Active Directory (AD) servers.
Identity Collector can process a maximum of 1900 Active Directory (AD) events per second.
Andy,
I will try to persuade the client, even if he is a bit "inane", and well, I have not implemented the agent before, so I am "reading the documentation".
Could you comment me, which is the option of the agent, that should be downloaded in our case, for a Windows Server 2019 to more, please????
What leaves me doubts in the documentation, is if only enough to install the agent on the server and already, or is that I will have to install other agents separately, other agents on each machine of each user ...
The SK I referred to earlier explains what each agent is for.
Btw, @PhoneBoy explained it PERFECTLY. And trust me, hes been around CP almost since the beginning, so if you should listen to anyone, its him...just saying : - )
Andy
I would not do ANY new deployments with AD Query at this point.
First of all, AD Query causes additional load on the AD server.
With 4k users, this might be noticeable.
Second, due to various security vulnerabilities in WMI, Microsoft has and continues to make changes, some of which have broken AD Query.
Currently, using fully patched AD servers, AD Query can only be implemented using an account with Domain Admin credentials.
Meanwhile, Identity Collector:
Thank you for the clarification.
I think the best option is to make a lab for this.
I will try to replicate the scenario I need for our client.
Lab is always best bro 🙂
All the various Identity Awareness clients (including Collector) are linked here: https://support.checkpoint.com/results/sk/sk134312
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
16 | |
11 | |
8 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 | |
3 |
Tue 07 Oct 2025 @ 10:00 AM (CEST)
Cloud Architect Series: AI-Powered API Security with CloudGuard WAFThu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Thu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Wed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY