Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
675
Views
0
Helpful
2
Replies

ISE 3.1 Checkpoint Identity Collector Policy

gaigl
Level 3
Level 3

‎10-10-2023 04:45 AM

Hello,

has anyone experience in the CP ID Collector Integration?

We've a Checkpoint Identity Collector connected with pxGrid 2.0, Client is approved, everything's fine, ISE is connected to AD.

But I've no Idea, what to do, to publish Information about AD-User/Groups to the ID Collector.

On Checkpoint-Doc is noted:

"The following guidelines need to be followed when configuring the rule base
• Only access roles can be used when creating an ISE policy
• User group name must match exactly what is in Cisco ISE
• User group needs to have the CSGT prefix
• Groups are left empty to be populated automatically
• Access Roles name need to be prefix with SGT"

So do I have to create some Policy? and in what Workspace?

Any Help is appreciated

Thanks

Karl

0 Helpful
2 Replies 2

lohan
Cisco Employee
Cisco Employee

‎10-18-2023 09:14 PM

Hi gaigl,

To publish information about AD users and groups to the Checkpoint Identity Collector, you will need to configure an ISE policy and follow the guidelines provided in the Checkpoint documentation. Here are the steps you can take:

  1. Open the Cisco ISE administration interface and navigate to the "Policy" workspace.

  2. In the "Policy Elements" section, click on "Results" > "Authorization" > "Access Service".

  3. Click on the appropriate access service that is associated with the Checkpoint Identity Collector.

  4. In the access service details, navigate to the "Authorization" tab.

  5. Click on the "Add Rule" button to create a new policy rule.

  6. Configure the rule using the following guidelines provided by Checkpoint:

    • Use only access roles when creating an ISE policy.
    • The user group name must match exactly what is in Cisco ISE.
    • The user group needs to have the CSGT prefix.
    • Leave the groups field empty as it will be populated automatically.
    • Access role names need to be prefixed with SGT.

  7. Save the policy rule and ensure that it is enabled.

Hope this can help.

-----------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Secure Network Analytics (formerly known as Stealthwatch) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-----------------------------------------

Best Regards,
Henry

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee

‎10-18-2023 10:04 PM

Maybe I'm misunderstanding, but it sounds like you're expecting to get information regarding AD Group membership for a user from ISE, which is not a function of the Identity Collector.

The Identity Collector integration via pxGrid (subscriber) will allow CP to learn user/IP mappings, endpoint contextual data (learned from the ISE Profiler), and TrustSec IP/SGT mappings published from ISE for an active RADIUS session.

Checkpoint would have to be integrated directly with AD to query and learn AD group memberships for a particular user.

0 Helpful
Customers Also Viewed These Support Documents