Support Center > Search Results > SecureKnowledge Details
Identity Collector - Technical Overview
Solution

Introduction

Check Point Identity Collector is a Windows-based application which collects information about identities and their associated IP addresses, and sends it to the Check Point Security Gateways for identity enforcement.

The identities are collected from the following servers:

  • Microsoft Active Directory Domain Controllers: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows 2016 (2016 is supported only from R80.10).
  • Cisco Identity Services Engine (ISE) Servers, versions 2.0, 2.1, 2.2, 2.3 (starting from R80.10) and 2.4 (Starting from R80.20).
  • Syslog messages (starting from R80.20).
  • NetIQ eDirectory 8.8 (starting from R80.20).

All Identity Awareness identity sources cpstat identityServer has the same target - provide the Security Gateway with information {user,machine,ip}.
The provided information is not enough for a full Identity Awareness functionality and therefore pdp needs to perform LDAP query to get more information.

 

Identity Collector key benefits over standard AD Query

  • Reduces the load on the Security Gateway - the agent is doing the queries instead of the Security Gateway.
  • Reduces the load on the DCs - the native Windows API used consumes less resources.
  • The Identity Collector requires no administrator or administrator-like permissions. Only permission required is read-only access to the domain security logs.
  • One Identity Collector can serve multiple Security Gateways, even from different CMA.

 

Identity Collector integration with Cisco ISE/pxGrid

  • Trustsec is a Cisco framework that combines the Cisco Identity Services Engine (ISE), a fourth-generation NAC solution, a label-based network separation architecture, and Attribute Based Access Control (ABAC) as an alternative for IP-based enforcement.
  • Platform Exchange Grid (PXGrid) - an integration framework for sharing of contextual information.
  • Check Point Identity Awareness blade integration with Cisco ISE server is available. This integration sets Cisco ISE servers as an additional identity acquisition source, by providing the ability to extract identity information from Cisco ISE servers, and provide it to Check Point Security Gateways for identity-based enforcement. Check Point Identity Collector is a Windows-based application, used to extract information from Cisco ISE servers over the Platform Exchange Grid and provide it to Check Point Security Gateways running Identity Awareness.

 

Mandatory Requirements

Windows Server, on which the Identity Collector will be installed, must meet the following requirements:

  • Windows Server 2008, Windows Server 2012, Windows Server 2012 R2, or Windows 2016 (starting from R80.10).
  • Has connectivity to the AD domain controllers of the organization using DNS, LDAP and DCOM
  • It is also possible to install the Identity Collector directly on one of the Domain Controllers.
    • If any Firewall software is installed on the Domain Controllers (including Windows Firewall),
      then make sure that the rules allow DNS, LDAP and DCOM traffic from the machine, on which the Identity Collector is installed.
      With Windows Firewall, add the following "Allow" rule: "Remote Event Log Management" --> "Remote Event Log Management (RPC)".
  • Has connectivity to the Security Gateway over TCP port 443.
  • Administrator account for Identity Collector installation.
  • Has .NET framework (version 4) installed.
  • At least 8 GB of RAM.
  • At least 10 GB of free disk space.
  • Oracle Java JRE 1.8 (Java SE Runtime Environment 8).
  • NOTE: Identity Collector is not supported on SMB appliances.

 

Additional requirements

  • To work with Security Gateway R77.20 / R77.30, a hotfix must be installed on that Security Gateway
    (the required hotfix is already integrated into Security Gateway R80.10).
  • For AD integration - the Identity Collector requires an AD user that belongs to the default Event Log Readers group.
    No administrative role is required for this user.
  • No AD schema changes are required.
  • Identity collector provides information about users, machines and IP addresses to the Security Gateway. LDAP Account Unit(s) should be configured to allow PDP gateways to perform group lookups on IDs that are provided from Identity Collector to match them to Access Roles. 

 

Technical Description

The Identity Collector is using the Windows Event Log API for fetching the DC's security logs.
Windows Event Log is included in the operating system beginning with Windows Vista and Windows Server 2008 (client and server).

 

Identity Collector Scale

  • Identity Collector can communicate with up to 35 Active Directory servers.
  • Identity Collector can process up to 1900 AD events per second.

 

Identity Collector redundancy

Identity Collector currently does not offer an "out of the box" redundancy. However, the following configuration can offer this feature:

  • Install Identity Collector on two separate Windows server machines.
  • Configure both for query the same identity servers and gateways (all configuration is identical).

With this configuration, you will have "Active/Active" redundancy.

The domain controllers should not be dramatically affected by this change, as the API Identity Collector is using is light resource consumer. On gateway side, only the first event will be processed (second one will be ignored).

 

Identity Collector Filters

Starting 80.67.0000 (with IDA-535 - see sk134312), Identity Collector has 2 types of filter sets:

Global filter - Will be applied for all gateways configured in this Identity Collector. A good idea to configure service accounts in this filter (see sk113833 and sk131792 to get better understanding on service accounts identification).

Regular Filters - Can be applied to one / few gateways, under the gateway object in Identity Collector "Gateways" view. This filter is used to apply specific filtering which is not relevant for all gateways.

 

Each Filter set (either Global / Regular) can be defined with the following categories:

  1. Network Filter - IP based filter.
  2. Identity Filter - user / machine filter.
  3. Domain filter

Each filter can be either "Include" or "Exclude".


Monitoring capability

Monitoring information on the configured identity sources is sent from the Identity Collector to the gateway.
Each Identity Collector that connects to a gateway sends information about the identity sources configured in the Query Pool it is linked to it.
The information includes the following: Type, Name, Host, and events counters.
The default frequency of sending the data is 10 seconds (configurable by changing the value of the key "MonitoringIntreval").

Monitoring capability is not enabled by default. To enable it, please add a registry key named " MonitoringEnabled" and set it to 1.

The default frequency of sending the data is 10 seconds. Frequency is configurable by a registry key named "MonitoringInterval" (for example, set the 60 to achieve a frequency of 1 minute).

The capability was added in R80.20. 

There are 2 options to query the data:

  • SNMP:
    The SNMP Object Identifiers (OIDs) that points to this information are found in $FWDIR/conf/identity_server.cps.

  • Command Line:
    - Via cpstat CLI: cpstat identityServer -f idc
    - Via pdp CLI: pdp idc status (available since R80.30)

Identity Collector - Ignore RDP events 

When Remote Desktop login occurs to a Domain Controller, 2 login events occur in that DC with the same username, but different IP addresses:
One with the computer (from which login was made) and one with the Domain Controller (to which the login was made).

If this option is selected (this is the default), the Identity Collector ignores the event with the IP address of the computer, from which login was made, because it is redundant.

The RDP event that is being ignored is event id 4624 type 10.

Communication Protocols

Direction Port Protocol
Identity Collector to Identity Awareness Gateway 443 Proprietary Check Point protocol, over HTTPS.
Used for ongoing communication between the Agent and the Security Gateway.
Identity Awareness Gateway to Domain Controller 389 / 636 LDAP / LDAPS
Identity Collector to Domain Controller 53 DNS
*Identity Collector to Domain Controller 389 LDAP 
Identity Collector to Domain Controller 135,
and dynamically
allocated ports
DCOM protocol, which makes extensive use of DCE/RPC.
Identity Collector to Cisco ISE 5222 Session subscribe. Gets notifications of new login/logout events.
Identity Collector to Cisco ISE 8910 Bulk session download. Fetches all the active sessions from the ISE Server.

* Note: LDAPS is also optional (through port 636) when using "NetIQ eDirectory". For all other uses (which are the most common ones), we are using LDAP only. 

 

Downloads

Required Package Security Gateway version Instructions
Hotfix for
Security Gateway
R80.10 and above Relevant hotfix is already integrated
R77.30

The fix was integrated in R77.30 Jumbo Hotfix Take_308 (Ongoing) and above. To download it refer to sk106162

R77.20

Contact Check Point Support to get this package.
A Support Engineer will make sure the package is compatible with your environment before providing it.
For faster resolution and verification, please collect CPInfo files from the
Security Management Server and Security Gateway involved in the case.

Note: This hotfix can be installed on top of either R77.20 GA, or any Take of R77.20 Jumbo Hotfix Accumulator.

R76SP.50 The fix was integrated in R76SP.50 Jumbo Hotfix Take_96 and above. To download it refer to sk117633.
Identity Collector
for a Windows Server
All supported versions Please refer to sk134312 to get the latest Identity Collector.
Release Notes R80.10 and above

Refer to the relevant Identity Awareness Administration Guide

R77.30 Refer to R77.30 Identity Collector Release Notes

 

Related solution:
sk134312 - Identity Awareness Agents

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.
Applies To:
  • This solution merges sk110155.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment