https://community.checkpoint.com/t5/Cloud-Firewall/Proper-settings-for-Identity-Awareness-on-vSEC/m-p/11122#M3885 <HTML><HEAD></HEAD><BODY><P>In R77.30 since IDA Web API were not exposed through the management, the TS Agent was piggybacked. in R80.10 the setting is done via the Web API section properly.&nbsp;&nbsp;</P></BODY></HTML> Wed, 15 Nov 2017 15:39:58 GMT Tzvi_Katz 2017-11-15T15:39:58Z https://community.checkpoint.com/t5/Cloud-Firewall/Proper-settings-for-Identity-Awareness-on-vSEC/m-p/11120#M3883 <HTML><HEAD></HEAD><BODY><P>I have been reading the R80.10 vSEC limitations (<SPAN style="color: #000000; background-color: #ffffff; font-size: 14px;">sk110519)</SPAN>, and have encountered this:</P><P></P><P style="color: #000000; background-color: #ffffff; font-size: 14px;">To enforce security policy with imported Data Center objects, the following conditions must be met on every vSEC Gateway, on which such policy is installed:</P><UL style="color: #000000; background-color: #ffffff; font-size: 14px;"><LI>vSEC Controller Enforcer Hotfix must be installed</LI><LI><SPAN style="color: #ff0000;"><STRONG>Identity Awareness blade must be activated with Terminal Servers authentication</STRONG></SPAN></LI></UL><P><SPAN style="color: #000000; background-color: #ffffff; font-size: 14px;">The<SPAN>&nbsp;</SPAN></SPAN><A href="http://downloads.checkpoint.com/dc/download.htm?ID=54078" style="color: #905690; background-color: #ffffff; text-decoration: none; font-size: 14px;" target="_blank">R80.10 vSEC Controller Administration Guide</A><SPAN style="color: #000000; background-color: #ffffff; font-size: 14px;"><SPAN>&nbsp;</SPAN>describes the procedure for enabling this functionality.</SPAN></P><P></P><P><SPAN style="color: #000000; background-color: #ffffff; font-size: 14px;">But I do not recall seeing this requirement in actual vSEC deployment guides.</SPAN></P><P></P><P><SPAN style="color: #000000; background-color: #ffffff; font-size: 14px;">Can someone shed a light on what's what with the IA with Terminal Services for vSEC?</SPAN></P></BODY></HTML> Mon, 13 Nov 2017 00:00:56 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Proper-settings-for-Identity-Awareness-on-vSEC/m-p/11120#M3883 Vladimir 2017-11-13T00:00:56Z https://community.checkpoint.com/t5/Cloud-Firewall/Proper-settings-for-Identity-Awareness-on-vSEC/m-p/11121#M3884 <HTML><HEAD></HEAD><BODY><P>It may be that the "Terminal Server" option is required to ensure that Identity Awareness pulls the information from the sent via the Identity Awareness API, which the vSEC Controller uses.</P><P>However, that is merely a guess.&nbsp;</P></BODY></HTML> Mon, 13 Nov 2017 03:53:38 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Proper-settings-for-Identity-Awareness-on-vSEC/m-p/11121#M3884 PhoneBoy 2017-11-13T03:53:38Z https://community.checkpoint.com/t5/Cloud-Firewall/Proper-settings-for-Identity-Awareness-on-vSEC/m-p/11122#M3885 <HTML><HEAD></HEAD><BODY><P>In R77.30 since IDA Web API were not exposed through the management, the TS Agent was piggybacked. in R80.10 the setting is done via the Web API section properly.&nbsp;&nbsp;</P></BODY></HTML> Wed, 15 Nov 2017 15:39:58 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Proper-settings-for-Identity-Awareness-on-vSEC/m-p/11122#M3885 Tzvi_Katz 2017-11-15T15:39:58Z https://community.checkpoint.com/t5/Cloud-Firewall/Proper-settings-for-Identity-Awareness-on-vSEC/m-p/11123#M3886 <HTML><HEAD></HEAD><BODY><P>So the TS setting is not required in R80.X for proper enforcement of policies containing data center objects?</P><P>If this is, indeed, the case, you may want to address it in&nbsp;<SPAN style="color: #000000; background-color: #ffffff;">sk110519.</SPAN></P><P></P><P><SPAN style="color: #000000; background-color: #ffffff;">Thank you,</SPAN></P><P><SPAN style="color: #000000; background-color: #ffffff;">Vladimir</SPAN></P></BODY></HTML> Wed, 15 Nov 2017 15:49:36 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Proper-settings-for-Identity-Awareness-on-vSEC/m-p/11123#M3886 Vladimir 2017-11-15T15:49:36Z https://community.checkpoint.com/t5/Cloud-Firewall/Proper-settings-for-Identity-Awareness-on-vSEC/m-p/11124#M3887 <HTML><HEAD></HEAD><BODY><P>Hi Vlad,</P><P></P><P>I want to share my experience</P><P></P><P>I have vSEC R80.10 gateway with 'Identity Awareness' blade enabled with 'Terminal Services' option.</P><P></P><P>I have configured the 'DataCenter' object to have my Azure subscription in the management server. I can see the management server getting all the updates fine whenever there is change to my Azure datacenter objects</P><P></P><P>Whenever I add 'Tags' to my Azure VM's, the management server is able to recognize the Tags in security policies and updates them.</P><P></P><P>The 'TAGS' don't work when 'Identity Awareness' blade is enabled, It works when I disable the 'Identity Awareness' blade, however the vSEC gateways couldn't get any updated Tags. Other VM's without TAGS are also being allowed by security policies</P><P></P><P>I checked with my SE, he says he could get his TAGS to work fine in his lab. I have an Support ticket open, they have sent it to DEV team for further research. I will update this thread once I have a resolution</P><P></P><P>Does anyone face similar issues with TAGS in their setup?</P><P></P><P>Chandru</P></BODY></HTML> Wed, 15 Nov 2017 16:36:22 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Proper-settings-for-Identity-Awareness-on-vSEC/m-p/11124#M3887 Chandhrasekar_S 2017-11-15T16:36:22Z https://community.checkpoint.com/t5/Cloud-Firewall/Proper-settings-for-Identity-Awareness-on-vSEC/m-p/11125#M3888 <HTML><HEAD></HEAD><BODY><P>Thank you for sharing your experience.</P><P>Please ask your SE about TS options in R80.10 and let us know the outcome of your troubleshooting sessions.</P></BODY></HTML> Wed, 15 Nov 2017 16:55:44 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Proper-settings-for-Identity-Awareness-on-vSEC/m-p/11125#M3888 Vladimir 2017-11-15T16:55:44Z