Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer
 Support Center > Search Results > SecureKnowledge Details
Support Center
 Print    Email
Identity Logging - Frequently Asked Questions

Solution ID: sk44178
Product: Identity Awareness
Version: R70.20, R70.30, R70.40, R71, R75
Date Created: 10-Feb-2010
Last Modified: 10-Jun-2013
Rate this document
[1=Worst,5=Best]
Solution

Introduction

This article provides answers to some of the most frequently asked questions (FAQ) related to the Check Point Identity Logging feature. For more information regarding Identity Logging, please refer to the Security Management server R75.40 Administration Guide.

Show All

General

  • What is the Identity Logging feature?
    The feature enhances activity tracking by incorporating user and computer identification information into the Check Point logs. With Identity Logging, administrators are able to better analyze network traffic and security-related events.

     

    The feature provides the following benefits:

    • Identity auditing and monitoring capabilities in Check Point Security Management.
    • Leveraging existing Check Point infrastructure.
    • No client installation on endpoint machines or Active Directory is required.
    • Simple and easy way to audit your user and machine activity on the network.


  • What are the main cases to use Identity Logging?
    • Security auditing
    • Troubleshooting network and connectivity issues
    • Help desk and maintenance tasks
    • Compliance and policy enforcement


  • Which Check Point versions support this feature?
    Identity Logging is supported starting with version R70.20 of the Security Management server. The feature works with Check Point security gateways of any version.
  • How does it work? Do I have to install software clients on endpoints to use Identity Logging?
    Security Management (Log Server) communicates with the Microsoft Active Directory (AD) servers and obtains user and computer name along with the source IP address information from AD event logs repository. The data extracted from the AD is stored in an association map on the Log Server. When security gateways generate a Check Point log entry and send it to Log Server, the server obtains the user and computer name from the association map entry corresponding to the source IP address and extending the log with the user and computer identity.
    Identity Logging does not require any additional agent installation, either on endpoints or on AD servers. Identity Logging leverages Windows management technologies (WMI) to obtain the information directly from the AD server.
  • What is the difference between Identity Logging and User/Client/Session Authentication?
    User/Client/Session Authentication methods require end-user involvement in the authentication process and client installation on the endpoint machine. The Identity Logging feature is a pure clientless solution with no end-user intervention. User/Client and Session authentication methods provide access control enforcement which is not supported in Identity Logging.


  • What is the difference between Identity Logging and User Authority?
    User Authority is an agent based solution for user access control, enforced on security gateways. The solution requires additional license and deployment considerations. Identity Logging offers a simple, clientless way to gain user notion capabilities in Check Point logging and reporting solutions.
  • I already have the “User” column in SmartTracker, why should I install Identity Logging?
    The “User” column in SmartTracker applies to Remote Access VPN and to User/Client/Session authentication features and provides user identity information only when the above features are in use. For any other type of logging, the “user” column is only populated when the Identity Logging feature has been enabled.
  • Internationalization: are user names with non-Latin characters (e.g. Cyrillic letters) supported?
    Currently, no.

Deployment and Settings

  • What is required to enable this feature?
    Ensure that you have the following to enable the feature:
    • Security Management server R70.20 and above installed.
    • Network connectivity between the Logging blade and the Domain Controller (DC) of your Active Directory environment (multiple DCs support is available). The Logging blade is typically included in the Security Management server configuration.
    • Active Directory Administrator's credentials.


  • What if I cannot use an AD admin user?
    The Identity Logging feature is designed to work when provided an Active Directory domain administrator user. This is, by far, the easiest way to set it up. On the other hand, it can also use a non-admin user, given specific permissions. See sk43874 for more information.
  • Is Identity Logging supported on all Check Point platforms?
    • Identity Logging is currently supported only on Windows, SecurePlatform and Linux based Security Management server platforms.
    • Identity Logging is supported on Check Point appliances, including the UTM-1 family.


  • What type of hardware (CPU, memory) should I consider when enabling Identity Logging on the Security Management server? What are the size implications?
    We recommend using Check Point UTM-1/Power-1 appliances or an equivalent open server with at least 1GB memory.

    • The Identity Logging feature requires 10Mb memory for initial operation.
    • 3MB more for each Domain Controller (DC) connected to the Log Server.
    • The number of users active on a particular DC has minor impact (up to 3%) on the CPU.


  • I have a complex AD environment, will the feature work in my environment?
    • Identity Logging currently supports only one domain; multiple Domain Controllers are supported for this one domain.
    • If you have multiple Domain Controllers serving the same domain, we recommend configuring the Domain Controllers with the most authentication activity. Note that each user authentication generates an event log only on a single DC.
    • Identity Logging works well with remote Domain Controllers. You should assure sufficient connectivity with the remote site's Domain Controller over WAN, Internet or VPN connections.
    • If your domain contains sub domains, please be sure to read sk43928 and R70.20 release notes beforehand.


  • Can the identity information be used for enforcement?
    No. Identity Logging does not provide enforcement capabilities. If you have Identity Access enforcement requirements, contact your local Check Point representatives.
  • How accurate is the user identity information acquired from Active Directory logs?
    Identity Logging provides a good level of security and accuracy when resolving and matching users and machines identity from the Active Directory logs. Some user events are not recorded on Active Directory and will therefore not be reflected in logs.

    • User logoff is not monitored, i.e. the feature may incorrectly report the identity of a user who had logged off the network.
    • Users that are not reported to AD (e.g. not joined to the domain or non-Windows machines) do not have identity resolution.


Performance

  • Will enabling this feature affect the Log Server's performance?
    The performance impact of this feature on the Log Server is close to negligible and will be up to 5% in peak cases. Memory consumption at the Log Server is approximately the sum of:
    • 10MB for the feature itself
    • 3MB per configured domain controller
    • 100 bytes per logged in user


  • How does this feature affect my domain controllers in terms of performance?
    The CPU usage of sending the event log to the Log Server is minimal; it ranges from 0 to 3%. This depends on the amount of authentication events logged on the domain controller. According to our testing, the effect is usually a little bit higher on domain controllers running on virtual machines.
  • What is the bandwidth required between the log server and the Domain Controllers?
    The amount of data transferred between the log server and domain controllers depends on the amount of event logs generated, which depends on the amount of authentication events. This amount varies according to the applications running in the network - programs that perform a lot of authentication requests will result in a higher amount of logs. In real life scenarios, the observed bandwidth range varied between 0.1 to 0.25 Mbps per each 1000 users.

Integration and Compatibility

Licensing

  • Does using this feature require a special license?

    • Identity logging is available free of charge through December 31st, 2011, with Check Point's Identity Awareness blade. Note that the Identify Awareness blade will be included, free of charge, with all Security Gateway appliances and software bundles. The number of users supported will be determined by the size of the Security Gateway container.


    • The Identity Awareness Software Blade License is required in order to activate this feature beginning R75.10. If you are using NGX license then this feature cannot be activated.

Give us Feedback
Rate this document
[1=Worst,5=Best]
Additional comments...(Max 2000 characters allowed)
Characters left: 2000