topic Re: Access Roles not synced in Firewall and Security Management

Access Roles not synced

KM1895 — Thu, 30 Mar 2023 09:43:35 GMT

hi,

I have come across a bit of a challenge with identity Awareness.

We are using Identity Collector and identity sharing, with 4 gatewas acting as PDP, and several others as PEP.

A new access role was recently created, with access rule on a PEP gateway. this is currently in test, and will be moved to production if successful

For one user, this works just fine, and he gets the correct access.

For other users, they do not hit this access rule at all.

When i run a pep show user query usr <username>, i see that the new access role is not associated with the user at all.

Have tried running the pdp sync and pdp update on the PDP gateway closest to the PEP gateway, but the new access role is not associated at all with the user.

Is this because of the cache on the PDP gateway, as the users will log on again before the 24 hours expire, thus the cached identity is reused?

What would be a potential consequence if we reduce the time limit on the cache before entries are deleted?

The environment is R81.10 with jumbo t66 on top, and there are only appliances in the environment.

Any input here would be appreciated:)

Re: Access Roles not synced

PhoneBoy — Fri, 31 Mar 2023 03:01:27 GMT

Is the Access Role in use in any policy on the other gateways?
Not sure how the PDP on the remote gateways will handle roles it does not have any rules for.

This might require a TAC case to get to the bottom of.
https://help.checkpoint.com

Re: Access Roles not synced

KM1895 — Fri, 31 Mar 2023 07:13:42 GMT

hi,

I actually didnt check. The pdp and pep gateways are actually connected( they are the internal and external cluster for the customer),

So, it could be that the access rule is not set on the PDP gateway? But is that a requirement in order for the access rule to work on the PEP gateway? if so, i can check this, and copy the rule over if necessary.

Re: Access Roles not synced

KM1895 — Fri, 31 Mar 2023 10:58:59 GMT

update:

The access role is succesfully synced over to the PEP gateway, so that is good.

However, why would it take 48 hours in order for this to sync properly?

Re: Access Roles not synced

PhoneBoy — Fri, 31 Mar 2023 22:22:07 GMT

That's unusual.
Recommend a TAC case to investigate: https://help.checkpoint.com

Re: Access Roles not synced

CheckPointerXL — Thu, 25 Jul 2024 14:00:30 GMT

Hello,

we are facing similiar problem, did you fix it?

an access role in a pep gateway is working only from some users (same vlan, same domain), other user are not synced from PDP gateway, where the identity is corrected associated

Re: Access Roles not synced

the_rock — Thu, 25 Jul 2024 16:53:55 GMT

Maybe this is related? TAC gave us this for similar issue with a customer...

Andy

https://support.checkpoint.com/results/sk/sk181429

Re: Access Roles not synced

CheckPointerXL — Thu, 25 Jul 2024 17:48:29 GMT

thanks Andy,

no, on pdp gateway the identity is ok

TAC Case araised

Re: Access Roles not synced

the_rock — Thu, 25 Jul 2024 17:49:31 GMT

Let us know what they say.

Andy