The process you are referring to is called "AD Query" by Check Point. A process called pdpd on the firewall uses WMI to monitor certain entries being written to the domain controller's security log, such as domain logons (kerberos ticket assignments) and domain/ticket renewals. When pdpd receives a security log entry of this nature, it puts a user to IP mapping in the firewall's cache, and at that time also performs an additional query against AD to see what AD groups the user is a member of. By default the mapping will be kept in the firewall's cache for a maximum of 12 hours, unless a renewal or other event is received for that same mapping, at which time the 12-hour countdown will start again.
The monitoring of the domain controller's security log can be "outsourced" from the firewall to the Windows-based Identity Collector software in R80.10, which uses a special API interface to monitor security log entries instead of WMI. This API process is more efficient and reduces the load imposed on the domain controller.
The official Identity Awareness Administration Guide documentation should be able to answer any further questions, as well as:
sk86441: ATRG: Identity Awareness
--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.
Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com