This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
MVP Silver
MVP Silver
‎2023-07-06 05:56 AM

New IA Implementation

Hello,

 

One query, please.

Due to customer need, we require to implement the AI blade.

 

The customer has a quite large network (More than 2000 users).

 

I understand that there are 2 ways to integrate the Windows Server AD, by the AD Query / Identity Collector (correct me if I am wrong please).

 

I understand that the viable method for us would be to install some application in the same AD Windows Server.

 

I understand that this application is called IDENTITY COLLECTOR, right?

 

If my comment is true, downloading and installing this application, is it free or is it required to make a purchase from Checkpoint?

 

Are end users going to have to be forced to install some application on their computers?

 

Greetings.

0 Kudos
14 Replies
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2023-07-06 06:35 AM

Identity Collector can be installed on a Window machine in the same domain doesn't have to be the DC, no cost is involved specific to the collector.

Identity agents for the client PCs are not mandatory but will operate more effectively in some scenarios.

CCSM R77/R80/ELITE
0 Kudos
Ruan_Kotze
MVP Gold
MVP Gold
‎2023-07-06 06:50 AM

Hi Matlu,

Identity Collector is absolutely the way to go, AD Query is being deprecated, and in fact you have to jump through hoops to get that working nowadays. 

You don't need to install it on a DC, a member server is fine.  An active support contract will entitle you to the download, there is no separate charge.

There is an client that you can install on a client, but it should not be necessary from what I can see (in fact it's not necessary for the vast majority of use cases in my experience).

Thanks,
Ruan

0 Kudos
Matlu
MVP Silver
MVP Silver
‎2023-07-06 10:31 AM
In response to Ruan_Kotze

Hello,

Can you share me the SK or WEB from where I could download the Identity Collector, please.

In addition to this, I understand that this application does not need to be installed in the same Windows Server we have, but in any station with privileges, certain ????

When activating the AI blade in the Cluster object from my SmartConsole, in order to work with the Identity Collector, I must select the option that I show in the image, correct?

IA.png

Cheers

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-07-06 10:39 AM
In response to Matlu

Hey bro,

Once IA blade is enabled, dont even bother going through the wizard, just cancel it, make sure blade shows as on and you can download collected from below option, just make sure its checked.

Andy

 

Screenshot_1.png

 

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_IdentityAwareness_AdminGuide/Topic...

Best,
Andy
0 Kudos
Matlu
MVP Silver
MVP Silver
‎2023-07-06 11:22 AM
In response to the_rock

Hi, Bro.

The customer has serious doubts in implementing the agent.

Is it still feasible to use the AD Query mode, for a number of approx. 4k users?


Greetings.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-07-06 11:31 AM
In response to Matlu

Hey bro,

You can do that, but please show them below. We had few customers with same concern and now they are so happy they went with collector and they are actually bit upset they had not done it sooner.

Andy

 

https://sc1.checkpoint.com/documents/Identity_Awareness_Clients_Admin_Guide/Content/Topics/Identity-...

 

These are the benefits of using Identity Collector instead of a standard AD QueryClosed:

Reduced load on the Security Gateway - Identity Collector does the queries instead of the Security Gateway

Reduced load on the Domain Controller (DC) - the native Windows API consumes fewer resources

Lower permissions required - Identity Collector requires read-only access to the domain security logs

No changes are required in the Active Directory (AD) schema.

One Identity Collector can serve multiple Security Gateways, even from a different Domain Management Servers on a Multi-Domain ServerClosed.

Identity Collector can communicate with a maximum of up to 35 Active Directory (AD) servers.

Identity Collector can process a maximum of 1900 Active Directory (AD) events per second.

Best,
Andy
0 Kudos
Matlu
MVP Silver
MVP Silver
‎2023-07-06 11:39 AM
In response to the_rock

Andy,

I will try to persuade the client, even if he is a bit "inane", and well, I have not implemented the agent before, so I am "reading the documentation".

Could you comment me, which is the option of the agent, that should be downloaded in our case, for a Windows Server 2019 to more, please????

IA2.png

What leaves me doubts in the documentation, is if only enough to install the agent on the server and already, or is that I will have to install other agents separately, other agents on each machine of each user ...

0 Kudos
PhoneBoy
Admin
Admin
‎2023-07-06 11:46 AM
In response to Matlu

The SK I referred to earlier explains what each agent is for.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-07-06 11:48 AM
In response to Matlu

Just install the collector (first one in the list), though one I gave you from last screenshot works even on windows 11 (tried it myself in the lab). Then, once installed, I attached some screenshots of what you need to do. 

Andy

 

 

Best,
Andy
Preview file
873 KB
0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-07-06 11:50 AM
In response to Matlu

Btw, @PhoneBoy explained it PERFECTLY. And trust me, hes been around CP almost since the beginning, so if you should listen to anyone, its him...just saying : - )

Andy

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
‎2023-07-06 11:42 AM
In response to Matlu

I would not do ANY new deployments with AD Query at this point.
First of all, AD Query causes additional load on the AD server.
With 4k users, this might be noticeable.
Second, due to various security vulnerabilities in WMI, Microsoft has and continues to make changes, some of which have broken AD Query.
Currently, using fully patched AD servers, AD Query can only be implemented using an account with Domain Admin credentials.

Meanwhile, Identity Collector:

  • Is significantly more scalable
  • Only requires an account that can read Security Logs from Active Directory
  • Is the recommended solution
(1)
Matlu
MVP Silver
MVP Silver
‎2023-07-06 02:59 PM
In response to PhoneBoy

Thank you for the clarification.

I think the best option is to make a lab for this.

I will try to replicate the scenario I need for our client.

the_rock
MVP Gold
MVP Gold
‎2023-07-06 03:22 PM
In response to Matlu

Lab is always best bro 🙂

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
‎2023-07-06 10:59 AM
In response to Matlu

All the various Identity Awareness clients (including Collector) are linked here: https://support.checkpoint.com/results/sk/sk134312

(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events