topic Re: Identity Awareness - active directory changes / time in Firewall and Security Management

Identity Awareness - active directory changes / time

Lesley — Tue, 08 Nov 2022 15:12:43 GMT

Hi everyone,

I am working with a customer who has an Identity Awareness setup.

I am running 2 collectors on Windows. And a R81.10 cluster with Jumbo take 30.

The customers main complain is that if they make a change in active directory it takes long to be 'active' on the Check Point.

On the Check Point I have a few firewall rules with access roles in it based on a AD group.

The customer adds a new machine(or a user) in the AD group and sees that it is synced to all AD servers. But the rule is not working, after a period of time it starts to work. The customer is wondering if there is any way to speed this up a bit. I noticed sometimes it takes even a few hours. Is there any setting on the gateway or the collector I can change? Or is it random timer?

Thank you for the feedback.

Lesley

Re: Identity Awareness - active directory changes / time

PhoneBoy — Tue, 08 Nov 2022 15:40:00 GMT

Have you implemented: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk169120&partition=Advanced&product=Identity

Re: Identity Awareness - active directory changes / time

Lesley — Tue, 08 Nov 2022 15:49:42 GMT

Thank you for the update. Settings was not enabled. I changed it and now we are going to test it. Will get back to you.

[Expert@FW1:0]# pdp idc groups_update status
automatic LDAP groups update is disabled
[Expert@FW1:0]# pdp idc groups_update on
automatic LDAP groups update is enabled

Re: Identity Awareness - active directory changes / time

the_rock — Wed, 09 Nov 2022 03:32:08 GMT

Ironically enough, I worked with customer who was doing regular AD query (not identity collector) and they asked me about it, but when we spoke to TAC, they said changes would be instant on CP side. Well, not exactly : - ). We still, to this day, notice that most changes do take effect quick, but I would day about 20% of the time, takes a bit of time.

On the other hand, I also work with client who uses 2 IA collectors and they never had this problem, nor did they ever have to implement sk phoneboy mentioned. Maybe its isolated case, I have no clue in the world. All I can say is, I hope the commands help your case.

Re: Identity Awareness - active directory changes / time

Lesley — Wed, 09 Nov 2022 08:16:00 GMT

Thanks all, customer has tested it today and was way quicker, around 5 minutes.