topic Re: Identity Sharing and Cisco ISE in Firewall and Security Management

Identity Sharing and Cisco ISE

Alex- — Tue, 11 Oct 2022 11:02:33 GMT

I'm successfully using Identity Collector and Cisco ISE to send tags to a pilot gateway.

I do not find however if I can use this setup along with Identity Sharing with other gateways of the SMS to share tags like it happens with accounts and the documentation isn't explicit on this.

Should it work?

Firewalls are R80.40 Take 173 with plans to go to R81.10 when the next hotfix is GA.

Re: Identity Sharing and Cisco ISE

G_W_Albrecht — Tue, 11 Oct 2022 13:12:21 GMT

You could use Identity Broker, see:

sk88520: Best Practices - Identity Awareness Large Scale Deployment

sk170765: Identity Awareness Scalable Design - Identity Agent

sk86441: ATRG: Identity Awareness

sk146835: Identity Session Conciliation

Re: Identity Sharing and Cisco ISE

Alex- — Wed, 12 Oct 2022 08:05:51 GMT

For now the solution is to connect the Identity Collector to each gateway, effectively turning them into PDP so the broker would be a more complex way to do the same.

The idea is to have a low-end cluster serving as PDP for the ISE tags and sending them to all other gateways but it seems that nothing happens with tags when this is configured.

Re: Identity Sharing and Cisco ISE

Sorin_Gogean — Wed, 12 Oct 2022 08:37:30 GMT

hey,

as we have deployed also IC in our environment, to grab identities from AD and ISE (TAGS), my recommendation is to have at least 2 IC's per GW/Cluster for redundancy. in our case, as we have 3 clusters, we have set 6 IC's, 2 per each region - so we have redundancy and independency.

as for identity sharing, as I know you can configure a GW to share identities with all other GWs - so what is not working in your case ?

thank you,

Re: Identity Sharing and Cisco ISE

Alex- — Wed, 12 Oct 2022 08:46:26 GMT

I'm using 2 Identity Collectors for redundancy. I had to get a custom JAR file to ensure stability between them and the ISE but since then it works.

Whenever I enable Identity Sharing, tags don't seem to get exchanged. I'm just wondering if they should be or if this feature does not support ISE tags.

Re: Identity Sharing and Cisco ISE

Sorin_Gogean — Wed, 12 Oct 2022 09:31:23 GMT

"I had to get a custom JAR file to ensure stability between them and the ISE but since then it works." - can you elaborate on this a bit more, as I have a problem with IC versions over R80.0119.000 (new ones uses pxGrid v2) and our ISE environment - looses communication after random periods.

In regards to the shared identity, I doubt it will share the ISE TAG, but I think it will share the identity group that the TAG was matched to.

can you check that part, and have a rule with an identity ISE TAG base on an GW that gets identities from another gateway ?

thank you,

Re: Identity Sharing and Cisco ISE

Alex- — Wed, 12 Oct 2022 09:38:05 GMT

That was quite a long case with TAC about the ISE going to Disconnected mode in the Collector and not coming back up short of a reboot of the server, not just the service.

In the end, I got a custom JAR file to replace one in place which completely solved the issue.

Re: Identity Sharing and Cisco ISE

Sorin_Gogean — Wed, 12 Oct 2022 09:43:49 GMT

So I see the same, with newer IC versions, the ISE connections go in Established and data is exchanged, but after 1 hour or 3 hours, they go Disconnected.

In some cases if I restart the service it's coming back but the same will happen in couple of hours, or it's staying Disconnected.

Is it possible to share the CheckPoint case so I can ask my support engineer look and see if there is any resemblance between them?

thank you,

PS: were the versions I share behaving the same, or you don't remember the details ?

Re: Identity Sharing and Cisco ISE

Alex- — Wed, 12 Oct 2022 10:21:43 GMT

I will send you the SR in a private message. What happened is that a message from the ISE wouldn't be accepted by the IC because of some unsupported content, after which the IC would disconnect the ISE and keep on sending keepalives without ever reconnecting. This could happen after an hour or a week, there was no definitive pattern.

Re: Identity Sharing and Cisco ISE

Sorin_Gogean — Wed, 12 Oct 2022 10:24:16 GMT

thank you,

now on the Identity Sharing, check this and let us know how it goes...

"In regards to the shared identity, I doubt it will share the ISE TAG, but I think it will share the identity group that the TAG was matched to.

can you check that part, and have a rule with an identity ISE TAG base on an GW that gets identities from another gateway ?"

ty,

Re: Identity Sharing and Cisco ISE

PhoneBoy — Fri, 14 Oct 2022 15:35:54 GMT

Once identities are acquired, they can be shared with other gateways.
That said, you might need to (manually) create the relevant identity tags on the Check Point side, but that's just a guess.