topic Identity Awareness - Shareing with own Application or 3. Party in Firewall and Security Management

Identity Awareness - Shareing with own Application or 3. Party

Roman_Petry — Fri, 11 Dec 2020 17:14:01 GMT

Hello, we use several CP Gateways and use IA on all of them. We have an Identity Collector instance for our AD and we use the Terminal Server Muh Agent , based on R80.20 infrastructure. Identity Sharing enabled between all systems.

Works great.

We are in need of some help for the Identity Informations from our Terminal Servers. MUH Agent is enabled. PDP Monitor works..

Now to the question.

We have a two vendor strategy and we also need a way to publish Identity Informations to other prodcuts and services.

Is there a way we can share the infos with other systems or via a push information so we can store data in a database via an own service program(webapi, whatever)..

Or any other idea ?

thanks so far

bye

roman

Re: Identity Awareness - Shareing with own Application or 3. Party

PhoneBoy — Sat, 12 Dec 2020 20:43:08 GMT

Gateways have an Identity Awareness API that can be queried for the identities it is aware of.
You can also use it to define identities as well.
See: https://sc1.checkpoint.com/documents/latest/IdentityAPIs/#ida_api_intro~v1

Due to how identity sharing works between gateways, you will most likely need to query all the gateways to get a clear picture of all identities used in the environment.

Re: Identity Awareness - Shareing with own Application or 3. Party

Roman_Petry — Mon, 14 Dec 2020 08:33:09 GMT

Hello and Thanks for this info. i was hoping that there is a better way then quering each server every 1-5 minutes 8-)..I think the load and the delay could be an issue with this approach..

I saw this API in my googling but as it is a pull and not a push technic , it´s not the best way in my opinion.

But i could be wrong..

Is there a way to register as a "identity" gateway sink ? or get a push notification or push way to do such a thing ? other the pulling the api..

thanks and bye roman

Re: Identity Awareness - Shareing with own Application or 3. Party

Tobias_Moritz — Mon, 14 Dec 2020 12:01:01 GMT

Depends on how much effort you want to invest here 🙂

You could do reverse engineering of Check Points pdpd->pepd connection (tcp/15105) and create your own pepd implementation (only the identity receiving part) which would get identity updates pushed from all your pdpds. Good hints to get this working would be sk65404 (how to get the foreign SIC trust working, how to create foreign pepd object in your database) and sk149255 (switch from smart_pull to push for your pepd object).

Will you get support from Check Point for such an architecture? I guess not 🙂

Maybe you could also leverage the more modern identity sharing solution from Check Point "Identity Broker" for that, I did not take a deeper look at it yet.

Any other ideas from the community (or CP staff) for the scenario of identity sharing with pushing identities from Check Point to 3rd party?

Re: Identity Awareness - Shareing with own Application or 3. Party

PhoneBoy — Mon, 14 Dec 2020 21:40:36 GMT

In general, our Identity Awareness was designed around being a consumer of identities, not necessarily a publisher of them, at least to anything other than a Check Point gateway.
I don't believe we have any published APIs to do precisely what you're asking in the manner you're asking for it to be done.
This is probably an RFE.
@Royi_Priov

Re: Identity Awareness - Shareing with own Application or 3. Party

Alejandro_Ferna — Thu, 28 Jan 2021 11:08:29 GMT

Maybe a system that triggers an action on http/s based server when event (login/logout in this case) occurs. Competitors already have something like that.