The feature enhances activity tracking by incorporating user and computer identification information into the Check Point logs. With Identity Logging, administrators are able to better analyze network traffic and security-related events.
The feature provides the following benefits:
Identity auditing and monitoring capabilities in Check Point Security Management.
Leveraging existing Check Point infrastructure.
No client installation on endpoint machines or Active Directory is required.
Simple and easy way to audit your user and machine activity on the network.
Security Management (Log Server) communicates with the Microsoft Active Directory (AD) servers and obtains user and computer name along with the source IP address information from AD event logs repository. The data extracted from the AD is stored in an association map on the Log Server. When security gateways generate a Check Point log entry and send it to Log Server, the server obtains the user and computer name from the association map entry corresponding to the source IP address and extending the log with the user and computer identity. Identity Logging does not require any additional agent installation, either on endpoints or on AD servers. Identity Logging leverages Windows management technologies (WMI) to obtain the information directly from the AD server.
User/Client/Session Authentication methods require end-user involvement in the authentication process and client installation on the endpoint machine. The Identity Logging feature is a pure clientless solution with no end-user intervention. User/Client and Session authentication methods provide access control enforcement which is not supported in Identity Logging.
User Authority is an agent based solution for user access control, enforced on security gateways. The solution requires additional license and deployment considerations. Identity Logging offers a simple, clientless way to gain user notion capabilities in Check Point logging and reporting solutions.
The User column in SmartTracker applies to Remote Access VPN and to User/Client/Session authentication features and provides user identity information only when the above features are in use. For any other type of logging, the user column is only populated when the Identity Logging feature has been enabled.
Ensure that you have the following to enable the feature:
Security Management server R70.20 and above installed.
Network connectivity between the Logging blade and the Domain Controller (DC) of your Active Directory environment (multiple DCs support is available). The Logging blade is typically included in the Security Management server configuration.
The Identity Logging feature is designed to work when provided an Active Directory domain administrator user. This is, by far, the easiest way to set it up. On the other hand, it can also use a non-admin user, given specific permissions. See sk43874 for more information.
Identity Logging currently supports only one domain; multiple Domain Controllers are supported for this one domain.
If you have multiple Domain Controllers serving the same domain, we recommend configuring the Domain Controllers with the most authentication activity. Note that each user authentication generates an event log only on a single DC.
Identity Logging works well with remote Domain Controllers. You should assure sufficient connectivity with the remote site's Domain Controller over WAN, Internet or VPN connections.
If your domain contains sub domains, please be sure to read sk43928 and R70.20 release notes beforehand.
Identity Logging provides a good level of security and accuracy when resolving and matching users and machines identity from the Active Directory logs. Some user events are not recorded on Active Directory and will therefore not be reflected in logs.
User logoff is not monitored, i.e. the feature may incorrectly report the identity of a user who had logged off the network.
Users that are not reported to AD (e.g. not joined to the domain or non-Windows machines) do not have identity resolution.
The CPU usage of sending the event log to the Log Server is minimal; it ranges from 0 to 3%. This depends on the amount of authentication events logged on the domain controller. According to our testing, the effect is usually a little bit higher on domain controllers running on virtual machines.
The amount of data transferred between the log server and domain controllers depends on the amount of event logs generated, which depends on the amount of authentication events. This amount varies according to the applications running in the network - programs that perform a lot of authentication requests will result in a higher amount of logs. In real life scenarios, the observed bandwidth range varied between 0.1 to 0.25 Mbps per each 1000 users.
Identity logging is available free of charge through December 31st, 2011, with Check Point's Identity Awareness blade. Note that the Identify Awareness blade will be included, free of charge, with all Security Gateway appliances and software bundles. The number of users supported will be determined by the size of the Security Gateway container.
The Identity Awareness Software Blade License is required in order to activate this feature beginning R75.10. If you are using NGX license then this feature cannot be activated.