Check Point Identity Collector is a Windows-based application which collects information about identities and their associated IP addresses, and sends it to the Check Point Security Gateways for identity enforcement.
The identities are collected from the following servers:
- Microsoft Active Directory Domain Controllers:
- Windows Server 2008
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
- Cisco Identity Services Engine (ISE) Servers, versions 2.0, 2.1, 2.2, 2.3, 2.4, 2.6, 2.7, and 3.0 (with pxGrid 1 only)
- Syslog messages (requires R80.20 Security Gateway).
- NetIQ eDirectory 8.8 (requires R80.20 Security Gateway).
Identity Collector key benefits over standard AD Query
- Reduces the load on the Security Gateway - the agent is doing the queries instead of the Security Gateway.
- Reduces the load on the DCs - the native Windows API used consumes less resources.
- The Identity Collector requires read-only access to the domain security logs.
- One Identity Collector can serve multiple Security Gateways, even from different CMA.
Identity Collector integration with Cisco ISE/pxGrid
- Trustsec is a Cisco framework that combines the Cisco Identity Services Engine (ISE), a fourth-generation NAC solution, a label-based network separation architecture, and Attribute Based Access Control (ABAC) as an alternative for IP-based enforcement.
- Platform Exchange Grid (PXGrid) - an integration framework for sharing of contextual information.
- Check Point Identity Awareness blade integration with Cisco ISE server is available. This integration sets Cisco ISE servers as an additional identity acquisition source, by providing the ability to extract identity information from Cisco ISE servers, and provide it to Check Point Security Gateways for identity-based enforcement. Check Point Identity Collector is a Windows-based application, used to extract information from Cisco ISE servers over the Platform Exchange Grid and provide it to Check Point Security Gateways running Identity Awareness.
Windows Server, on which the Identity Collector will be installed, must meet the following requirements:
- Windows Server 2008, Windows Server 2012, Windows Server 2012 R2, Windows 2016 and Windows 2019.
- Has connectivity to the AD domain controllers of the organization using DNS, LDAP and DCOM
- It is also possible to install the Identity Collector directly on one of the Domain Controllers.
- If any Firewall software is installed on the Domain Controllers (including Windows Firewall),
then make sure that the rules allow DNS, LDAP and DCOM traffic from the machine, on which the Identity Collector is installed.
With Windows Firewall, add the following "Allow" rule: "
Remote Event Log Management" --> "
Remote Event Log Management (RPC)".
- Has connectivity to the Security Gateway over TCP port 443.
- Administrator account is required for Identity Collector installation and for running Identity Collector UI process.
- Has .NET framework (version 4) installed.
- At least 8 GB of RAM.
- At least 10 GB of free disk space.
- Recommended: 16GB RAM, 12 cores machine with at least 60GB free space.
- Oracle Java JRE 1.8 (Java SE Runtime Environment 8), needed for Cisco ISE PxGrid 1.0 integration. For Cisco ISE PxGrid 2.0 integration Open JDK can be used.
- NOTE: Identity Collector is not supported on SMB appliances.
- To work with Security Gateway R77.20 / R77.30, a hotfix must be installed on that Security Gateway
(the required hotfix is already integrated into Security Gateway R80.10).
- For AD integration - the Identity Collector requires an AD user that belongs to the default Event Log Readers group.
No administrative role is required for this user.
- No AD schema changes are required.
- Identity collector provides information about users, machines and IP addresses to the Security Gateway. LDAP Account Unit(s) should be configured to allow PDP gateways to perform group lookups on IDs that are provided from Identity Collector to match them to Access Roles.
The Identity Collector is using the Windows Event Log API for fetching the DC's security logs.
Windows Event Log is included in the operating system beginning with Windows Vista and Windows Server 2008 (client and server).
Identity Collector Scale
- Identity Collector can communicate with up to 35 Active Directory servers.
- Identity Collector can process up to 1900 AD events per second.
Identity Collector redundancy
Identity Collector currently does not offer an "out of the box" redundancy. However, the following configuration can offer this feature:
- Install Identity Collector on two separate Windows server machines.
- Configure both for query the same identity servers and gateways (all configuration is identical).
With this configuration, you will have "Active/Active" redundancy.
The domain controllers should not be dramatically affected by this change, as the API Identity Collector is using is light resource consumer. On gateway side, only the first event will be processed (second one will be ignored).
Identity Collector Filters
Starting 80.67.0000 (with IDA-535 - see sk134312), Identity Collector has 2 types of filter sets:
Global filter - Will be applied for all gateways configured in this Identity Collector. A good idea to configure service accounts in this filter (see sk113833 and sk131792 to get better understanding on service accounts identification).
Regular Filters - Can be applied to one / few gateways, under the gateway object in Identity Collector "Gateways" view. This filter is used to apply specific filtering which is not relevant for all gateways.
Each Filter set (either Global / Regular) can be defined with the following categories:
- Network Filter - IP based filter.
- Identity Filter - user / machine filter.
- Domain filter
- Group Filter (since version 81.018.0000)
Each filter can be either "Include" or "Exclude".
Monitoring information on the configured identity sources is sent from the Identity Collector to the gateway.
Each Identity Collector that connects to a gateway sends information about the identity sources configured in the Query Pool it is linked to it.
The information includes the following: Type, Name, Host, and events counters.
The default frequency of sending the data is 10 seconds (configurable by changing the value of the key "MonitoringIntreval").
Monitoring capability is not enabled by default. To enable it, please add a registry key named " MonitoringEnabled" and set it to 1 (DWORD). This is done under the following location:
- For 32-bit machines: HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\IdentityCollector\
- For 64-bit machines: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\CheckPoint\IdentityCollector\
The default frequency of sending the data is 10 seconds. Frequency is configurable by a registry key named "MonitoringInterval" (for example, set the 60 to achieve a frequency of 1 minute, DWORD as well).
The capability was added in R80.20.
There are 2 options to query the data:
The SNMP Object Identifiers (OIDs) that points to this information are found in $FWDIR/conf/identity_server.cps.
- Command Line:
- Via cpstat CLI: cpstat identityServer -f idc
- Via pdp CLI: pdp idc status (available since R80.30)
Identity Collector - Ignore RDP events
When Remote Desktop login occurs to a Domain Controller, 2 login events occur in that DC with the same username, but different IP addresses:
One with the computer (from which login was made) and one with the Domain Controller (to which the login was made).
If this option is selected (this is the default), the Identity Collector ignores the event with the IP address of the computer, from which login was made, because it is redundant.
The RDP event that is being ignored is event id 4624 type 10.
|Identity Collector to Identity Awareness Gateway
||Proprietary Check Point protocol, over HTTPS.
Used for ongoing communication between the Agent and the Security Gateway.
|Identity Awareness Gateway to Domain Controller
||389 / 636
||LDAP / LDAPS
|Identity Collector to Domain Controller
|*Identity Collector to Domain Controller
||389 / *636
LDAP / *LDAPS
Used for fetching Domain Controllers automatically
|Identity Collector to Domain Controller
|DCOM protocol, which makes extensive use of DCE/RPC.
Using Microsoft encrypted APIs to communicate between the Identity Collector to the Domain Controller
|Identity Collector to Cisco ISE
||Session subscribe. Gets notifications of new login/logout events.
|Identity Collector to Cisco ISE
||Bulk session download. Fetches all the active sessions from the ISE Server.
* Note: LDAPS is also optional (through port 636) when using "NetIQ eDirectory" and "Active Directory" (since 81.018.0000).
To configure the Identity Collector to work with LDAP over SSL when fetching Active directory Domain Controllers:
Click New Source > Active Directory > Fetch Automatically and choose LDAP over SSL.
sk134312 - Identity Awareness Agents
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.
- This solution merges sk110155.