TTechclickAll lessons
Check Point · Identity Awareness · Access RolesInteractive · L1 / L2

Check Point Identity Awareness — From IP Rules to User Rules, the PDP/PEP Topology Nobody Draws

Your firewall rule says 10.20.5.0/24 → Allow. But which user on that subnet downloaded the 15 GB of customer data? Without Identity Awareness, you have no answer. AD Query, Captive Portal, Identity Agent, and the PDP/PEP topology nobody draws — pick a source below, watch identity propagate live, master user-based rules in 12 minutes.

📅 2026-05-26·⏱ 12 min · 5 SVG infographics + 1 animated identity-propagation trace·🏷 10-Q Bloom-tiered assessment + AI Tutor

Pick an identity source — jump straight to it

1

AD Query

Transparent. Parses AD Security Event Log via WMI/RPC. The default.

 2

Captive Portal

Browser-based auth for BYOD / Mac / non-domain devices.

 3

Identity Agent

Lightweight Windows agent — most reliable, single-machine accuracy.

 4

PDP/PEP topology

Which gateway learns identity, which gateway enforces.

The interview question that trips up 70% of candidates

Senior interview: "What's the difference between a PDP and a PEP, and can the same gateway be both?"
Wrong answers: "They're the same thing", "PDP is the management server". Right answer: PDP (Policy Decision Point) is the gateway that learns identities from sources (AD Query, Captive Portal, Identity Agent). PEP (Policy Enforcement Point) is the gateway that applies user-based rules. A single small gateway plays both. In larger deployments, one or two strategic gateways play PDP and share identity with many PEPs over SIC. Knowing this topology lets you scale to 50k users without putting AD Query load on every branch.

💡 The college canteen ID-card analogy

You walk into the college canteen. The reception scans your ID card — that's identity acquisition (the PDP doing AD Query). The scanner pings the college server: "Sneha CS-Final-Year, year 2026, dietary preference veg, monthly limit ₹3000". You then approach the counter and order biryani. The counter staff doesn't re-scan your ID — they look up the record reception just made, check today's spending, and serve you. The counter is the PEP. Same Sneha at different counters (food, books, hostel-laundry) means many PEPs but one PDP. That's why the topology matters.

4 things you'll be tested on before we begin

🏷
Access Role
tap to flip

A single rule object that combines User + Machine + Network + Time. Use in Source/Destination of any Access Control rule. Replaces 4 separate columns with one matchable object.

🤝
SIC trust
tap to flip

Secure Internal Communication — mutual TLS between mgmt + gateways, also between PDP and PEPs. Identity flows over SIC encrypted. No SIC = no identity propagation.

Identity timeout
tap to flip

Default 720 min (12h). User logs off — gateway keeps the identity until timeout OR explicit logoff signal (rare). Tune down for shared kiosks; tune up for stable office desks.

🚫
Bypass list
tap to flip

Service accounts (backup runners, scanners, monitoring) appear in AD as logins but aren't real users. Always bypass via the dedicated list or you'll mis-attribute SOC traffic to "svc_backup".

① AD Query — transparent identity, the default 80% of deployments use

AD Query (ADQ) parses the Windows Security Event Log on Domain Controllers over WMI / RPC, looking for event IDs 4624 (logon success) and related. When Rahul logs into his Wipro laptop, the DC writes event 4624 → ADQ on the gateway reads it within seconds → gateway maps 10.20.5.50 → user=rahul.kumar, machine=WIPRO-LAP-2245.

AD Query identity acquisition flow Diagram showing user laptop logging on, domain controller writing an event, AD Query on firewall reading the event, and identity being mapped to IP address. Rahul's laptop10.20.5.50WIPRO-LAP-2245 ① Kerberos logon Domain ControllerDC-WIPRO-MUMBAIwrites EventID 4624to Security Event Log ② WMI/RPC poll (5s) PDP GatewayAD Query reads eventextracts user + machinemaps to source IP ③ propagate over SIC PEP Gateways (branches)10.20.5.50 → user=rahul.kumarRules with Access Roles now fire
Figure 1 — AD Query identity acquisition. Laptop logon → DC event 4624 → PDP polls via WMI → PDP propagates identity to all PEPs via SIC.
Common mistake — AD Query without advanced auditing

AD Query needs Windows DCs to log event 4624. Default Server policies often have "Audit Logon Events" disabled or set to Failures only. Enable via Default Domain Controllers Policy → Computer → Advanced Audit → Logon/Logoff → Audit Logon = Success+Failure. Without this, ADQ silently learns zero users. Symptom: "Identity Awareness configured but no rules ever match by user".

② Captive Portal — when ADQ can't see them

BYOD phone, Mac without domain join, contractor laptop — none of these generate AD logon events. Captive Portal redirects them to a browser-based auth page on the gateway. They log in once → gateway maps their IP to a user → rules fire.

Identity sources comparison matrix 4-column comparison of AD Query, Captive Portal, Identity Agent, Terminal Server Agent. AD Query Captive Portal Identity Agent Terminal Server Transparency✓ Fully transparent DevicesDomain-joined Windows Latency~5-30 sec AccuracyMedium — shared PCs problematic Use whenDefault for 90% of corp Transparency✗ User sees login page DevicesBYOD / Mac / contractor LatencyUser-driven (instant on submit) AccuracyHigh (one IP = one user) Use whenNon-domain devices Transparency✓ Transparent + SSO DevicesWindows (managed install) LatencyReal-time on logon/logoff AccuracyHighest — agent reports state Use whenRegulated industries Transparency✓ Per-session DevicesCitrix / RDS / shared LatencyReal-time AccuracyPer port — multiple users on one IP Use whenRDS / Citrix farms
Figure 2 — Identity sources side-by-side. AD Query for the bulk, Captive Portal for outliers, Identity Agent for regulated industries, Terminal Server Agent when many users share one IP.

③ Identity Agent + Terminal Server Agent — when accuracy matters

Identity Agent (IA) is a Windows MSI installed on user endpoints. It signs in directly with the gateway over Kerberos, reporting login/logout in real time. Comes in Light (no UI, GPO-deployed) and Full (with system tray). Best for regulated industries (BFSI, healthcare) where mis-attributing traffic is a compliance fail.

Terminal Server Agent (TSA) solves the "many users, one IP" problem on Citrix and RDS farms. TSA monitors the server's session table and tells the gateway: "TCP source port 47000-47200 belongs to user1, 47201-47400 belongs to user2…". Without TSA, Citrix traffic from 200 users all looks like one IP and you cannot enforce per-user policy.

▶ Watch identity propagate end-to-end

Rahul boots his laptop → Kerberos logon → AD Query → PDP → PEP at branch → user-based rule fires. Press Play.

① 09:01:00Rahul's laptop boots, joins WIPRO-HQ-WIFI. Gets DHCP → 10.20.5.50.
② 09:01:08Kerberos AS-REQ → DC issues TGT → laptop authenticated. DC writes EventID 4624 to Security Event Log.
③ 09:01:13PDP gateway's AD Query polls DC (5-sec interval), reads new 4624 event, parses user = WIPRO\rahul.kumar, machine = WIPRO-LAP-2245, IP = 10.20.5.50.
④ 09:01:14PDP propagates identity to all PEP gateways over SIC. All gateways now know that flow from 10.20.5.50 belongs to rahul.kumar.
⑤ 09:01:30Rahul opens Salesforce. Packet hits PEP. Rule "Allow_BillingTeam_to_Salesforce" matches because Access Role = BillingTeam contains rahul.kumar. Allow.
Press Play to watch end-to-end identity propagation, second by second.
Quick check · Q1 of 10

Sneha enables Identity Awareness with AD Query. Configured the LDAP account unit, pointed at DCs, gave the service account "Read security event log" rights. After install, no identity is acquired for any user. What's the most likely cause?

Correct: c. AD Query is only as good as what the DC actually logs. Standard hardening templates often disable audit categories; without 4624, ADQ learns nothing. Verify on the DC by running auditpol /get /category:"Logon/Logoff" in PowerShell — Success+Failure for "Logon" must be ON.

④ PDP/PEP topology — the design decision that scales

Small deployment (single gateway): same box is both PDP and PEP. Done.

Large deployment: designate 1–2 PDP gateways (typically in the DC, near AD DCs for low-latency WMI polls) and let them learn identities. PEP gateways at every branch subscribe via SIC. AD Query load stays at the DC; branches just enforce. This scales to 50k+ users without putting WMI load on every gateway.

PDP and PEP topology for large multi-site deployment Central DC with 2 PDP gateways near 2 Active Directory domain controllers. 5 branch sites each with a PEP gateway. SIC propagation arrows from PDPs to PEPs. PDP / PEP scaled topology (50k users) DC site — identity acquisition lives here DC #1Mumbai PDP-A(ADQ on DC #1) PDP-B(HA peer) Identity propagation over SIC PEP-Pune3k users PEP-Bengaluru8k users PEP-Delhi12k users PEP-Chennai9k users PEP-Kolkata5k users WMI poll load only on 2 PDPs. Branches enforce policy with zero ADQ load.
Figure 3 — PDP/PEP scaled topology. Two PDPs at DC site do all the AD Query work; five branch PEPs receive identity over SIC and enforce locally.

Access Roles — the rule object that replaces 4 columns

Access Role = User/Group + Machine + Network + Time. Drop one Access Role object into the Source column of an Access Control rule and you get all four conditions matched at once. The shift from R77.30 thinking ("source = IP subnet") to R80+ thinking ("source = HR-Team Access Role") is the single biggest productivity win in identity-aware policy.

Access Role composition diagram Central Access Role object connecting 4 conditions: AD group, machine, network, time. All four must match for the role to apply. Access Role "BillingTeam_Office_BizHours" AD Group / UserWIPRO\BillingTeam MachineDomain-joined laptops Network10.20.5.0/24 (HQ-WiFi) TimeMon-Fri 09:00-19:00 IST
Figure 4 — Access Role composition. All 4 conditions must match for the role to apply. Drop the role in any Access Control rule's Source / Destination.
Quick check · Q2 of 10

Karthik runs a 12-branch Check Point fleet with 1 DC. He wants to scale Identity Awareness without adding load to branch gateways. What's the design?

Correct: a. PDP near AD = low-latency WMI polls + single point of identity acquisition. PEPs everywhere = enforcement only. (b) overloads branch gateways with cross-WAN WMI polls. (c) gives terrible UX. (d) is a GPO rollout for 50k endpoints — expensive.

Service accounts + identity bypass — the audit trail saver

Backup runners, scanners, monitoring scripts log into your AD every minute. ADQ sees these as "user logons" and attributes their traffic. Now your SOC sees svc_veeam_backup as the user who transferred 4 TB last night. Useless attribution.

Pro tip — Identity bypass list

SmartConsole → Identity Awareness blade → Identity Sources → AD Query → Excluded users/machines. Add a regex like ^svc_ or list each service account. Now ADQ ignores those logons; SOC sees the source IP and at least can investigate without misleading attribution.

🤖 Ask the AI Tutor

Tap any question — instant context-aware answer.

Deeper questions → chat.techclick.in.

The 5 mistakes that cost L1/L2 candidates the interview

Mistake 1 — ADQ without DC audit policy

"Identity Awareness configured but nothing matches" — DCs aren't writing 4624. Enable Audit Logon Success in Default Domain Controllers Policy.

Mistake 2 — Service accounts polluting attribution

SOC sees svc_* as the user. Add service accounts to the Excluded list.

Mistake 3 — Citrix without TSA

200 users sharing one source IP = one giant attribution mess. Deploy TSA on the Citrix server.

Mistake 4 — Same-box PDP/PEP at scale

Every branch doing its own ADQ over the WAN melts the DCs. Centralize PDPs near DCs; branches enforce only.

Mistake 5 — Forgetting Excluded networks

Server VLANs (10.50.0.0/16) shouldn't be in Captive Portal redirect scope. You'll break monitoring/backup traffic. Always exempt server networks.

📝 Check your understanding — 10 questions, 70% to pass

Q1–Q2 above already count. Below are Q3 to Q10.

Q3 of 10 · Remember

Which Windows Event ID does AD Query primarily parse to learn user logons?

Correct: b. 4624 is the canonical logon-success event. AD Query parses it plus surrounding events to extract user + machine + IP. 4625 = failures (useful for SOC alerting, not identity). 4768 = TGT issuance (DC-side). 4720 = account creation, unrelated.
Q4 of 10 · Apply

Aditya needs to allow only the AD group "FinanceTeam" to access SAP between 09:00-19:00 IST from domain-joined laptops on the HQ WiFi subnet. Which is the cleanest design?

Correct: a. The Access Role is precisely the object Check Point built for this scenario. One object, one rule, all 4 conditions matched together. (b) is the pre-R80 approach. (c) is wrong blade. (d) loses identity entirely.
Q5 of 10 · Analyze

Priya configures Identity Awareness with ADQ. pdp monitor all shows users learned correctly. But on a branch PEP gateway, pep show user query ip <test-ip> returns empty. What's broken?

Correct: c. PDP has the identity (you confirmed with pdp monitor all); PEP doesn't (pep show empty). The only thing between them is SIC. Either SIC isn't established, or a firewall between PDP and PEP blocks port 18211. (a/b) would prevent PDP from learning, not propagation.
Q6 of 10 · Analyze

Sneha runs a Citrix farm. 200 users connect via published apps. SmartLog shows ALL Citrix traffic attributed to the same user. Why and what's the fix?

Correct: b. Classic Citrix attribution bug. ADQ's IP→user mapping breaks when many users share an IP. TSA is the dedicated solution — it maps source-port ranges to user sessions and tells the gateway.
Q7 of 10 · Analyze

SOC reports that user "svc_veeam_backup" downloaded 4 TB overnight. Veeam is your backup service account. What's the right fix?

Correct: b. Service accounts in attribution = useless SOC. Excluded list is the canonical fix. Regex ^svc_ covers the whole family.
Q8 of 10 · Apply

Rahul deploys Identity Agent (Light, GPO-pushed) on all 5000 endpoints. Why is this better than ADQ alone for a BFSI deployment?

Correct: b. The accuracy + audit-trail argument is the BFSI / healthcare driver. ADQ's latency window is the gap regulators care about. IA closes it.
Q9 of 10 · Evaluate

For a 50k-user fleet across 30 sites, what's the right Identity Awareness topology?

Correct: c. Multi-source mix is the senior-engineer answer. ADQ for the bulk (cheap, transparent), IA where compliance demands it, Captive Portal for outliers, TSA for Citrix. Centralized PDPs + distributed PEPs scales. (a) overloads DCs. (b) terrible UX. (d) IA rollout for 50k endpoints is unnecessarily heavy.
Q10 of 10 · Evaluate

After CVE-2024-24919, what's the right hygiene for Identity Awareness in production?

Correct: d. Senior-engineer hygiene. The ADQ service account is sensitive — minimize its rights. Patch cadence aligned to CISA KEV. Audit policy + bypass list reviewed quarterly catches drift.
Lesson complete — score saved to your profile.
Score below 70%. Re-read the section you got wrong.

Next up — Check Point Threat Prevention Suite

Now your rules know WHO. Next: IPS, Anti-Bot, Anti-Virus, Threat Emulation, Threat Extraction — the 5 blades that catch what shouldn't be there.

Next lesson →Practice CCSE MCQs

Sources cited inline

  1. R81 Identity Awareness Admin Guide
  2. sk108235 — AD Query best practices
  3. sk88520 — Identity Agent Light deployment
  4. sk60701 — Terminal Server Agent
  5. sk182336 — CVE-2024-24919 Hotfix
  6. CheckMates — Identity Awareness Deep Dive
  7. CCSE R81.20 Syllabus