10-10-2023 04:45 AM
Hello,
has anyone experience in the CP ID Collector Integration?
We've a Checkpoint Identity Collector connected with pxGrid 2.0, Client is approved, everything's fine, ISE is connected to AD.
But I've no Idea, what to do, to publish Information about AD-User/Groups to the ID Collector.
On Checkpoint-Doc is noted:
"The following guidelines need to be followed when configuring the rule base
• Only access roles can be used when creating an ISE policy
• User group name must match exactly what is in Cisco ISE
• User group needs to have the CSGT prefix
• Groups are left empty to be populated automatically
• Access Roles name need to be prefix with SGT"
So do I have to create some Policy? and in what Workspace?
Any Help is appreciated
Thanks
Karl
10-18-2023 09:14 PM
Hi gaigl,
To publish information about AD users and groups to the Checkpoint Identity Collector, you will need to configure an ISE policy and follow the guidelines provided in the Checkpoint documentation. Here are the steps you can take:
Open the Cisco ISE administration interface and navigate to the "Policy" workspace.
In the "Policy Elements" section, click on "Results" > "Authorization" > "Access Service".
Click on the appropriate access service that is associated with the Checkpoint Identity Collector.
In the access service details, navigate to the "Authorization" tab.
Click on the "Add Rule" button to create a new policy rule.
Configure the rule using the following guidelines provided by Checkpoint:
Save the policy rule and ensure that it is enabled.
Hope this can help.
-----------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.
You can also learn more about Secure Network Analytics (formerly known as Stealthwatch) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-----------------------------------------
Best Regards,
Henry
10-18-2023 10:04 PM
Maybe I'm misunderstanding, but it sounds like you're expecting to get information regarding AD Group membership for a user from ISE, which is not a function of the Identity Collector.
The Identity Collector integration via pxGrid (subscriber) will allow CP to learn user/IP mappings, endpoint contextual data (learned from the ISE Profiler), and TrustSec IP/SGT mappings published from ISE for an active RADIUS session.
Checkpoint would have to be integrated directly with AD to query and learn AD group memberships for a particular user.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide