Data for transparent authorization is taken from ActiveDirectory (AD) and/or Syslog logs. With Active Directory, a UserID agent makes requests to AD servers using WMI protocol, whereas with Syslog, the agent listens to the Syslog port (tcp\514 by default) and collects information sent in by Syslog servers. Next, the information is filtered by input/output events and entered into the Database.
The UserID agent makes periodical queries to the database to search for user logon/logoff events. The search is performed only on the records obtained through UserID sources, i.e. other records (obtained through WMI sensors, Endpoints, Log collector) are ignored. Based on the obtained data, it searches for the user in the user catalogs of the log source. If the user is found, the user's authorization data is sent to all NGFW devices specified in the Source redistribution profile, and the user is logged in to NGFW. Thus, the user is authorized on all the specified devices. If the user logs out, the situation is similar (except for WMI Connector, where user logout data is not processed at the moment). Logon/logoff/error information is stored in the UserID log.