topic Re: Identity Awareness in VSX in Firewall and Security Management

Identity Awareness in VSX

CyberBreaker — Mon, 17 Feb 2020 04:28:39 GMT

Hi Guys,

I've done enabling identity awareness in a standalone but not in a VSX environment. Is it possible in VSX? If possible, how the gateway communicate to the AD is it per VS basis?

Thanks

Re: Identity Awareness in VSX

Lari_Luoma — Mon, 17 Feb 2020 06:51:37 GMT

Hi!

What is your specific use case?

In VSX you enable IA on each virtual system and most commands work in VS context as in regular gateway.

Check the following:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk88520

Re: Identity Awareness in VSX

CyberBreaker — Mon, 17 Feb 2020 09:50:24 GMT

Hi @Lari_Luoma ,

The use case is that I have a policy based on AD OU (e.g. Finance or HR) that is why I plan to use the IA blade.

You mean for example in my VS1 I enable IA but in VS2 IA is disable?

Another thing, when I deploy VSX, the dedicated management port is the one I use to register to the Smart Console as the VSX gateway and the internal interface of each VS is the one I use to enroll the VS in Smart Console. Is there's a way to create a sub-interface in the management port so that i can assign that management port sub-interface per VS?

For example, VS1 will have MGMT1.1 then VS2 MGMT1.2, is it possible?

Thanks

Re: Identity Awareness in VSX

Maarten_Sjouw — Mon, 17 Feb 2020 13:32:56 GMT

Some clarifications on VSX are needed it seems.
All communications between VS's and management are done over the VSX Gateway IP, also called VS0, so the IP you set on a Virtual System does not need to be able to communicate with the management server nor with the SmartConsole.
Each VS can be turned on or off regarding Identity Awareness, so you decide if it is needed for that specific VS and you turn it on only for those who need it.

Re: Identity Awareness in VSX

Norbert_Bohusch — Mon, 17 Feb 2020 18:32:25 GMT

Also LDAP communication is using VS0 per default.
If this needs to be changed, because VS0 is not able to reach the needed LDAP-Server, this behavior is controlled as described in the following SK: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk44726&partition=Advanced&product=VSX%22

Re: Identity Awareness in VSX

CyberBreaker — Wed, 19 Feb 2020 15:29:23 GMT

Hi @Lari_Luoma ,

Is the IA blade still supported even in VSX bridge mode for R80.x?

Thanks

Re: Identity Awareness in VSX

Lari_Luoma — Wed, 19 Feb 2020 16:59:36 GMT

IA is not supported in bridge mode VS.

For more information take a look at the following SK.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk101371

Re: Identity Awareness in VSX

CyberBreaker — Wed, 19 Feb 2020 17:08:50 GMT

Hi @Lari_Luoma ,

Thanks for the feedback.

But it supports in non-VSX bridge mode right?

Thanks

Re: Identity Awareness in VSX

Lari_Luoma — Wed, 19 Feb 2020 17:41:22 GMT

Yes, supported in gw mode