Support Center > Search Results > SecureKnowledge Details
Identity Collector - Technical Overview
Solution

Introduction

Check Point Identity Collector is a Windows-based application which collects information about identities and their associated IP addresses, and sends it to the Check Point Security Gateways for identity enforcement.

The identities are collected from the following servers:

  • Microsoft Active Directory Domain Controllers: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows 2016 (2016 is supported only from R80.10).
  • Cisco Identity Services Engine (ISE) Servers, versions 2.0, 2.1, 2.2, 2.3 (starting from R80.10) and 2.4 (Starting from R80.20).
  • Syslog messages (starting from R80.20).
  • NetIQ eDirectory 8.8 (starting from R80.20).

All Identity Awareness identity sources has the same target - provide the Security Gateway with information {user,machine,ip}.
The provided information is not enough for a full Identity Awareness functionality and therefore pdp needs to perform LDAP query to get more information.

 

Identity Collector key benefits over standard AD Query

  • Reduces the load on the Security Gateway - the agent is doing the queries instead of the Security Gateway.
  • Reduces the load on the DCs - the native Windows API used consumes less resources.
  • The Identity Collector requires no administrator or administrator-like permissions. Only permission required is read-only access to the domain security logs.
  • One Identity Collector can serve multiple Security Gateways, even from different CMA.

 

Identity Collector integration with Cisco ISE/pxGrid

  • Trustsec is a Cisco framework that combines the Cisco Identity Services Engine (ISE), a fourth-generation NAC solution, a label-based network separation architecture, and Attribute Based Access Control (ABAC) as an alternative for IP-based enforcement.
  • Platform Exchange Grid (PXGrid) - an integration framework for sharing of contextual information.
  • Check Point Identity Awareness blade integration with Cisco ISE server is available. This integration sets Cisco ISE servers as an additional identity acquisition source, by providing the ability to extract identity information from Cisco ISE servers, and provide it to Check Point Security Gateways for identity-based enforcement. Check Point Identity Collector is a Windows-based application, used to extract information from Cisco ISE servers over the Platform Exchange Grid and provide it to Check Point Security Gateways running Identity Awareness.

 

Mandatory Requirements

Windows Server, on which the Identity Collector will be installed, must meet the following requirements:

  • Windows Server 2008, Windows Server 2012, Windows Server 2012 R2, or Windows 2016 (starting from R80.10).
  • Has connectivity to the AD domain controllers of the organization using DNS, LDAP and DCOM
  • It is also possible to install the Identity Collector directly on one of the Domain Controllers.
    • If any Firewall software is installed on the Domain Controllers (including Windows Firewall),
      then make sure that the rules allow DNS, LDAP and DCOM traffic from the machine, on which the Identity Collector is installed.
      With Windows Firewall, add the following "Allow" rule: "Remote Event Log Management" --> "Remote Event Log Management (RPC)".
  • Has connectivity to the Security Gateway over TCP port 443.
  • Administrator account for Identity Collector installation.
  • Has .NET framework (version 4) installed.
  • At least 8 GB of RAM.
  • At least 10 GB of free disk space.
  • Oracle Java JRE 1.8 (Java SE Runtime Environment 8).
  • NOTE: Identity Collector is not supported on SMB appliances.

 

Additional requirements

  • To work with Security Gateway R77.20 / R77.30, a hotfix must be installed on that Security Gateway
    (the required hotfix is already integrated into Security Gateway R80.10).
  • For AD integration - the Identity Collector requires an AD user that belongs to the default Event Log Readers group.
    No administrative role is required for this user.
  • No AD schema changes are required.

 

Technical Description

The Identity Collector is using the Windows Event Log API for fetching the DC's security logs.
Windows Event Log is included in the operating system beginning with Windows Vista and Windows Server 2008 (client and server).

 

Identity Collector Scale

  • Identity Collector can communicate with up to 35 Active Directory servers.
  • Identity Collector can process up to 1900 AD events per second.

 

Identity Collector redundancy

Identity Collector currently does not offer an "out of the box" redundancy. However, the following configuration can offer this feature:

  • Install Identity Collector on two separate Windows server machines.
  • Configure both for query the same identity servers and gateways (all configuration is identical).

With this configuration, you will have "Active/Active" redundancy.

The domain controllers should not be dramatically affected by this change, as the API Identity Collector is using is light resource consumer. On gateway side, only the first event will be processed (second one will be ignored).

 

Communication Protocols

Direction Port Protocol
Identity Collector to Identity Awareness Gateway 443 Proprietary Check Point protocol, over HTTPS.
Used for ongoing communication between the Agent and the Security Gateway.
Identity Awareness Gateway to Domain Controller 389 / 636 LDAP / LDAPS
Identity Collector to Domain Controller 53 DNS
Identity Collector to Domain Controller 389 LDAP
Identity Collector to Domain Controller 135,
and dynamically
allocated ports
DCOM protocol, which makes extensive use of DCE/RPC.
Identity Collector to Cisco ISE 5222 Session subscribe. Gets notifications of new login/logout events.
Identity Collector to Cisco ISE 8910 Bulk session download. Fetches all the active sessions from the ISE Server.

 

Downloads

Required Package Security Gateway version Instructions
Hotfix for
Security Gateway
R80.10, R80.20 Relevant hotfix is already integrated
R77.30

The fix was integrated in R77.30 Jumbo Hotfix Take_308 (Ongoing) and above. To download it refer to sk106162

R77.20

Contact Check Point Support to get this package.
A Support Engineer will make sure the package is compatible with your environment before providing it.
For faster resolution and verification, please collect CPInfo files from the
Security Management Server and Security Gateway involved in the case.

Note: This hotfix can be installed on top of either R77.20 GA, or any Take of R77.20 Jumbo Hotfix Accumulator.

R76SP.50 The fix was integrated in R76SP.50 Jumbo Hotfix Take_31 and above. To download it refer to sk117633.
Identity Collector
for a Windows Server
R80.10, R80.20

Download from:
https://<IP_of_Security Gateway>/_IA_IDC/download/CPIdentityCollector.msi

Refer to the relevant Identity Awareness Administration Guide -
chapter "Configuring Identity Sources" - section "Configuring the Identity Collector"


Note: The download link will only work after installing the policy on the Security Gateway / VS with "Identity Collector" enabled. 
R77.30 Contact Check Point Support to get this package
R77.20 Contact Check Point Support to get this package
R76SP.50 Contact Check Point Support to get this package
Release Notes R80.20

Refer to R80.20 Identity Awareness Administration Guide

R80.10 Refer to R80.10 Identity Awareness Administration Guide
R77.30 Refer to R77.30 Identity Collector Release Notes
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.
Applies To:
  • This solution merges sk110155.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment