topic Re: Getting_Started_Guide_PDP_Broker_HF_v7 .pdf in Firewall and Security Management

Getting_Started_Guide_PDP_Broker_HF_v7 .pdf

Peter_Elmer — Tue, 22 Jan 2019 08:38:07 GMT

Scaling identity sharing across management domains and geographical regions is achieved using the PDP Broker architecture element. This document is describing the functionality, installation and related troubleshooting of the PDP Broker. The PDP Broker software HF for R80.10 can be requested contacting Check Point Sales Engineers and will be provided by Check Point Solution Center.

Re: Getting_Started_Guide_PDP_Broker_HF_v7 .pdf

Chris_Atkinson — Fri, 13 Mar 2020 02:17:00 GMT

Those interested in the PDP Broker should now explore R80.40 for this functionality.

Re: Getting_Started_Guide_PDP_Broker_HF_v7 .pdf

Alex_Mondol — Fri, 23 Oct 2020 15:51:32 GMT

we run r80.30 across the board. what is the procedure notes to deploying identity broker on r80.30? we don't want to install it on r80.10 with HF

Re: Getting_Started_Guide_PDP_Broker_HF_v7 .pdf

Royi_Priov — Sun, 25 Oct 2020 09:26:52 GMT

Hi @Alex_Mondol

There is no availability for this project on versions below R80.40, and also the document on this thread was written for R80.10 RFE which is not recommended to use anymore.

Identity Broker is a feature which was released as part of R80.40. There is no need to install an additional HF on top of that. I recommend reviewing Identity Awareness R80.40 admin guide for more info.

Re: Getting_Started_Guide_PDP_Broker_HF_v7 .pdf

Alex_Mondol — Tue, 27 Oct 2020 21:39:24 GMT

Thank you for your response.

New Question arrises. We have two VSX Cluster Gateways at two geographical locations separated by at least 1 hr drive time. Each Cluster of 23500 series gateways we have VSXs that incorporate perimeter FWs of the following like Perimeter, BC, Departmental, and VPN. Since we have collapsed these different zones into two clusters or four gateways if we have deployed two Identity Collector Servers (one at each geographical location) who would you recommend becoming PDPs and PEPs? do the gateways now run PDP and PEP on all FWs?

Re: Getting_Started_Guide_PDP_Broker_HF_v7 .pdf

Royi_Priov — Wed, 28 Oct 2020 10:38:48 GMT

Hi @Alex_Mondol ,

[I would assume you've meant there are 2 separate clusters, one per site (overall 4 gateways).]

I don't think there is an implementation that we consider as a mistake here.

However, take into consideration that PDP is the one which perform the database operations (communication with IDC, perform group fetch by LDAP, Access roles matching with SmartDashboard configuration) - if both cluster gateways will be configured as PDP, this operation will be done twice.

The other option is to have only one PDP gateway (one of the cluster gateways) and use Identity Sharing between sites.

If we are handling a small scale environment (user-wise) - although this is the more resource efficient implementation, I would recommend take the first one (each site configure PDP gateway), to simplify the implementation.

Re: Getting_Started_Guide_PDP_Broker_HF_v7 .pdf

Alex_Mondol — Wed, 28 Oct 2020 19:31:56 GMT

Yes, your assumption is correct ...here are 2 separate clusters, one per site (overall 4 gateways).

Each cluster runs a perimeter (Blades running: IDS/IPS/AV/ANITBOT/), BC (Blades running: AV/Antibot), and VPN(Blades same as Perimeter) All VSX infrastructure...

Would a good design be to put a load of resources for PDP is the one which performs the database operations (communication with IDC, perform group fetch by LDAP, Access roles matching with SmartDashboard configuration) onto the BC which doesn't have too significant load on it to be the PDP and share with PEPs of Perimeter and VPN?

Currently, we have 23500 boxes with 128gig of memory share between VSX and our CORE-XL count for CPUs are 8 for each VS. With these metrics would BC which is less loaded in traffic and inspection points be able to handle the PDP role?