https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-sharing-how-to-change-modes/m-p/98942#M12446 <P>Unlikely - documentation says:</P> <P class="subheading">Push Sharing Method</P> <P class="tpbodytext">This method is straight-forward: a PDP publishes each identity when it is acquired to the PEP.</P> <P class="note"><STRONG class="bold">Note -</STRONG> It is the only sharing method for the Identity Awareness Security Gateway that runs both as PDP and PEP.</P> Tue, 13 Oct 2020 07:38:23 GMT G_W_Albrecht 2020-10-13T07:38:23Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-sharing-how-to-change-modes/m-p/62906#M12442 <P>Hello, as per this document:</P><P><A href="https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_IdentityAwareness_AdminGuide/html_frameset.htm?topic=documents/R80.10/WebAdminGuides/EN/CP_R80.10_IdentityAwareness_AdminGuide/150080" target="_blank">https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_IdentityAwareness_AdminGuide/html_frameset.htm?topic=documents/R80.10/WebAdminGuides/EN/CP_R80.10_IdentityAwareness_AdminGuide/150080</A></P><P>there are two methods for a remote PEP gateway to learn identities, Smart-Pull or Push Sharing. Based on the output of "pdp connections pep" command (and the fact we can only see a handful of entries one one the other cluster) it seems we have smart-pull mode.</P><P>I want to change this to push method. We have a second site with an identical cluster and I would like the PEP databases to be synchronised on both. I cannot find anything that tells me how to do this?</P><P>(We are R80.20)</P><P>thanks</P> Tue, 17 Sep 2019 06:12:06 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-sharing-how-to-change-modes/m-p/62906#M12442 Ryan_Ryan 2019-09-17T06:12:06Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-sharing-how-to-change-modes/m-p/62927#M12443 <P>This has been an old trick in the first days to cope with IA issues - but it is not (or no longer ?) documented in any sk. This is understandable, as that needs a manual GUIDbedit change on SMS, a thing that should never be done without a good reason&nbsp;<span class="lia-unicode-emoji" title=":smiling_face_with_smiling_eyes:">😊</span>. Which issues are you experiencing that would justify such a change ?</P> <P>Also, this change is for AD Query only, and AD Query is today commonly replaced by Identity collector. For more information, see <A class="cp_link sc_ellipsis" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk44178&amp;partition=General&amp;product=Identity" target="_blank">sk44178: <STRONG>Identity</STRONG>Logging - Frequently Asked Questions</A>,&nbsp;<A class="cp_link sc_ellipsis" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk86441&amp;partition=Advanced&amp;product=Identity" target="_blank">sk86441: <STRONG>ATRG</STRONG>: <STRONG>Identity</STRONG>Awareness,</A>&nbsp;<A class="cp_link sc_ellipsis" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk108235&amp;partition=General&amp;product=Identity" target="_blank">sk108235: <STRONG>Identity</STRONG>Collector - Technical Overview</A>&nbsp;and&nbsp;<A class="cp_link sc_ellipsis" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk88520&amp;partition=General&amp;product=Identity" target="_blank">sk88520: Best Practices - <STRONG>Identity</STRONG>Awareness Large Scale Deployment.</A></P> Tue, 17 Sep 2019 09:21:34 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-sharing-how-to-change-modes/m-p/62927#M12443 G_W_Albrecht 2019-09-17T09:21:34Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-sharing-how-to-change-modes/m-p/62998#M12444 <P>Hi thanks for the reply.</P><P>&nbsp;</P><P>Yes I suspected it was a Dbedit under the hood somewhere.</P><P>&nbsp;</P><P>We did have an issue where an ADquery fetched user was showing on one gateway but not on another where an IA rule was used and therefore the users access was not working. It took me a while to understand why so few users where showing on my other shared cluster compared to the cluster doing ADQuery. That issue however has now self resolved.</P><P>So really no reason for us to change mode now - other to to simplify troubleshooting a bit, I still don't fully understand how the smart decides what to pull and what not to pull but I can live with that <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 18 Sep 2019 00:38:48 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-sharing-how-to-change-modes/m-p/62998#M12444 Ryan_Ryan 2019-09-18T00:38:48Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-sharing-how-to-change-modes/m-p/98939#M12445 <P>from what i understand from TAC, Push method is not supported by R&amp;D that is why the configuration is not open for all users.</P> Tue, 13 Oct 2020 07:28:21 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-sharing-how-to-change-modes/m-p/98939#M12445 Dor_Marcovitch 2020-10-13T07:28:21Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-sharing-how-to-change-modes/m-p/98942#M12446 <P>Unlikely - documentation says:</P> <P class="subheading">Push Sharing Method</P> <P class="tpbodytext">This method is straight-forward: a PDP publishes each identity when it is acquired to the PEP.</P> <P class="note"><STRONG class="bold">Note -</STRONG> It is the only sharing method for the Identity Awareness Security Gateway that runs both as PDP and PEP.</P> Tue, 13 Oct 2020 07:38:23 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-sharing-how-to-change-modes/m-p/98942#M12446 G_W_Albrecht 2020-10-13T07:38:23Z